DNSpionage

A recent hacker attack uncovered a new RAT (Remote Administration Tool), which was employed in a strike with two high-profile targets – a Lebanese airline company and UAE government institutions. The tool used in the campaign was given the name DNSpionage. The attackers have no left us any clues to figure out who they are, where they come from, or what their final goal is. The tools used in this high-end attack have never been identified before.

It is important to note that this unknown hacker group did not use one tool only. Instead, alongside DNSpionage, the attackers also carried out a well-planned and executed a DNS hijacking attack brilliantly. This means that users attempting to access websites associated with the two targets were redirected, without their knowledge, to websites created by the hacking group instead. It is assumed that the aim of the attackers was sensitive data that the user would input in the fake website set up by the crooks, all while believing that they are dealing with the legitimate website they wanted to access in the first place.

It is believed that the victims are picked and likely have an email sent to them, which poses as a legitimate email from a company looking to hire staff. Then the victim would be directed to a bogus website, which presents itself as the original website of the company in question. In the fraudulent Web page, the victim is urged to download an employment form, which is a macro-laced document containing DNSpionage. It is not clear if spear-phishing emails are the only trick the attackers have up their sleeves. It is possible that they might contact their targets directly by using the social media platform LinkedIn, thus making the offer seem more serious.

The malicious macro script embedded in the Office document is executed as soon as the user attempts to view the file and falls for the social engineering trick used to manipulate them into agreeing to use 'macro scripts.' When this happens, the file might display the content of the employment form, but it will also execute the script in the background and drop the DNSpionage on the targeted computer. In addition to this, the script can create a new scheduled task, which ensures that DNSpionage will run whenever Windows starts. Such behavior will not catch the attention of the average computer user, and they may never find out that what they saw as an opportunistic job offer was a clever attack on their network's security.

Users online need to stay ever vigilant and double check any email attachments or links they click on. If something seems off chances are it is. Falling for such tricks can cost you dearly.