DNSpionage DNS Hijacking Campaign

Cisco Talos has discovered a new large-scale Domain Name System (DNS) hijacking campaign, known as DNSpionage, has been observed targeting government, infrastructure and telecommunications organisations. Believed to be operated by an unaffiliated advanced persistent threat group, the campaign originally targeted specific organisations throughout the Middle East, but has now been seen in incidents across Europe, North Africa and North America as well.

DNSpionage uses three techniques to compromise domains:

• DNS A Record Hijacking – The threat actors use previously compromised credentials to access the DNS provider’s administration tools, at which point they alter the A record to associate the target domain with a threat actor-owned IP address. They will then generate a proxy to mirror the target domain, as well as a load balancer to pass traffic from the original IP address to the new address. A new TLS certificate is then issued to the domain using Let’s Encrypt to prevent browser security warnings from notifying users.
• DNS NS record hijacking – This technique is functionally similar to the first, however, the threat actors exploit a previously compromised country-code top-level domain (ccTLD) or registrar to alter the NS records instead of the A record.
• DNS redirection – The third techniques makes use of the altered A and NS records to redirect users. If a DNS request to an actor-controlled IP address is received, it will redirect the request to the actor’s proxy; if the request is to a legitimate DNS it will be passed to a legitimate address.

Once the threat actors have control of the right DNS records, they may use the related domains to host malicious files or content, perform man-in-the-middle attacks, collect user credentials or redirect users to actor-controlled infrastructure for further compromise.

Snort rules 48444 and 48445 will prevent DNSpionage from making an outbound connection.

Affected Platforms:

• DNS servers

INDICATORS OF COMPROMISE (IOCS)

The following IOCs are associated with various malware distribution campaigns that were observed during the analysis of associated malicious activity.

Fake job websites:

hr-wipro[.]com
hr-suncor[.]com

Malicious documents:

9ea577a4b3faaf04a3bddbfcb934c9752bed0d0fc579f2152751c5f6923f7e14 (LB submit)
15fe5dbcd31be15f98aa9ba18755ee6264a26f5ea0877730b00ca0646d0f25fa (LB submit)

DNSpionage samples:

2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec 82285b6743cc5e3545d8e67740a4d04c5aed138d9f31d7c16bd11188a2042969
45a9edb24d4174592c69d9d37a534a518fbe2a88d3817fc0cc739e455883b8ff

C2 Server IPs:

185.20.184.138
185.20.187.8
185.161.211.72

C2 Server Domains:

0ffice36o[.]com

DNS Hijack Domains (pointed to 185.20.187.8):

2018-11-14 : memail.mea.com.lb
2018-11-06 : webmail.finance.gov.lb
2018-09-24 : mail.apc.gov.ae
2018-09-15 : mail.mgov.ae
2018-09-13 : adpvpn.adpolice.gov.ae

Domains in the MEA certificate (on 185.20.187.8):

memail.mea.com.lb
autodiscover.mea.com.lb
owa.mea.com.lb
www.mea.com.lb
autodiscover.mea.aero
autodiscover.meacorp.com.lb
mea.aero
meacorp.com.lb
memailr.meacorp.com.lb
meoutlook.meacorp.com.lb
tmec.mea.com.lb