DNSpionage

DNSpionage is a Remote Access Trojan that gives threat actors system-controlling capabilities over a network connection. Its use correlates with DNS-hijacking campaigns that are infiltrating various business and government systems throughout the Middle East highly. Users should keep their anti-malware products available for removing DNSpionage and be careful about interactions with infection vectors like strange Word documents.

The Domain Name System's Conversion to Spying

Although cyber-security reports may use the label loosely for referring to the hackers behind its campaign or the campaign, itself, DNSpionage is the name of a Remote Access Trojan running wild throughout the Middle East. Its back-end implies significant training by the threat actors, who have substantial familiarity with the DNS structure of the Web and its associated companies and services. They're using this knowledge to enable DNSpionage attacks, which give them control over the system and possibilities for stealing confidential information.

DNSpionage's threat actors have been compromising DNS companies like the Packet Clearing House and the Netnod Internet Exchange for gaining access to their TLS certificate-issuing protocols. In some cases, their attacks even overcome DNSSEC security measures, although not in every instance. The acquisition of digital certificates lets them disguise their payloads and provoke redirects to their sites from legitimate ones.

Despite the advancements in its campaign, malware experts link DNSpionage infections to an almost laughably generic infection method: macros in Word documents. The criminals are using unknown means of circulating the docs, which are copies of content like Suncor job applications. However, a new macro triggers a series of steps that end with DNSpionage's infecting the computer and giving the attacker undetectable control over it.

The Counterplay to Network-Hijacking Espionage

While malware researchers haven't finished analyzing all of DNSpionage's features, it doesn't seem to be a variant of any known RAT, such as a for-hire black market business or the GitHub open source project. Both the installation process and the payload for DNSpionage include some advanced methods of avoiding detection by different security tools, such as using a fake Wikipedia page with embedded instructions, HXXP exploits and a DNS-only mode. DNSpionage infections are concentrating on target in the same parts of the world as the other attacks by its threat actors, such as Lebanon and the United Arab Emirates, and may be benefiting from Iranian sponsorship.

DNSpionage's campaigns are noticeable for their exfiltration of e-mail credentials and messages, as well as traffic from VPNs (Virtual Private Networks). Workers can protect themselves by never enabling macros from unverified sources, updating their document reader software to the latest versions, implementing strict firewall policies, implementing multi-factor authentication, and watching for any unusual browser behavior that implies a hijacking attempt. Victims should delegate removing DNSpionage to a professional anti-malware service.

DNSpionage's threat actors are putting a somewhat pedestrian class of threat to extraordinary uses, with their associated attacks including subverting some of the core business entities running the Internet. It's worth noting, however, that even these campaigns need users making classic missteps like reading fake job offers for achieving their goals.