Sat. Jun 6th, 2020

DNSpionage Campaign Evolves to Selectively Target Its Victim

Experts at Cisco’s Talos threat research team released a new report stating that the cybercriminals behind the infamous DNSpionage malware campaign have upped their tactics and techniques to make their cyber attacks more organized, targeted, and sophisticated.


DNSpionage attacks were first discovered last November by Cisco Talos. It is a remote administration tool (RAT) that allows hackers to falsify domain name system (DNS) records to redirect a domain to an IP address controlled by a hacker rather than the domains rightful owner. Worse still, is that DNSpionage attacks are undetectable to end-users; even if the main name is typed correctly in a browser, the victim is still shuffled to the bogus website that may look legit.


Past DNSpionage attacks have targeted government domains used by Lebanon and the United Arab Emirates (UAE).


Cisco researchers say the group behind the malicious campaign is becoming more selective. Unlike previous campaigns, the cybercriminals now perform reconnaissance on their victims before infecting them with a new malware dubbed Karkoff. The malware allows them to choose which targets to infect in order to remain undetected.


Once the target is chosen, they receive spear phishing messages that contain malicious Microsoft Word and Microsoft Excel documents. Additionally, researchers say, the DNSpionage will search for antivirus products, specifically Avira and Avast. And, “if one of these security products is installed on the system and identified during the reconnaissance phase, a specific flag will be set, and some options from the configuration file will be ignored.”


What’s interesting about the malware, however, is that it generates a log file on the victims’ systems which contains a timestamp of all the commands it has executed. So, if an organization falls victim to Karkoff, they can use the file to review exactly what happened and where.


Like the last DNSpionage campaign, the recently discovered attacks also target the Middle Eastern region, including Lebanon and the United Arab Emirates (UAE).


And because of several public reports of DNS hijacking attacks, the Department of Homeland Security has issued an “emergency directive” to all federal agencies ordering IT staff to audit DNS records for their respective website domains, or other agency-managed domains.