SYMBOLCOMMON_NAMEaka. SYNONYMS

DNSpionage  (Back to overview)

aka: COBALT EDGEWATER

Cisco Talos recently discovered a new campaign targeting Lebanon and the United Arab Emirates (UAE) affecting .gov domains, as well as a private Lebanese airline company. Based on our research, it's clear that this adversary spent time understanding the victims' network infrastructure in order to remain under the radar and act as inconspicuous as possible during their attacks. Based on this actor's infrastructure and TTPs, we haven't been able to connect them with any other campaign or actor that's been observed recently. This particular campaign utilizes two fake, malicious websites containing job postings that are used to compromise targets via malicious Microsoft Office documents with embedded macros. The malware utilized by this actor, which we are calling "DNSpionage," supports HTTP and DNS communication with the attackers. In a separate campaign, the attackers used the same IP to redirect the DNS of legitimate .gov and private company domains. During each DNS compromise, the actor carefully generated Let's Encrypt certificates for the redirected domains. These certificates provide X.509 certificates for TLS free of charge to the user. We don't know at this time if the DNS redirections were successful. In this post, we will break down the attackers' methods and show how they used malicious documents to attempt to trick users into opening malicious websites that are disguised as "help wanted" sites for job seekers. Additionally, we will describe the malicious DNS redirection and the timeline of the events.


Associated Families
win.karkoff win.dnspionage

References
2023-02-02Trend MicroMahmoud Zohdy, Mohamed Fahmy, Sherif Magdy
New APT34 Malware Targets The Middle East
Karkoff RedCap Saitama Backdoor
2021-06-16VenustechADLab
APT34 organization latest in-depth analysis report on attack activities
Karkoff
2021-04-08CheckpointCheck Point Research
Iran’s APT34 Returns with an Updated Arsenal
DNSpionage SideTwist TONEDEAF
2020-03-03PWC UKPWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle
2020-03-02TelsyTelsy
APT34 (aka OilRig, aka Helix Kitten) attacks Lebanon government entities with MailDropper implants
Karkoff
2020-03-02YoroiZLAB-Yoroi
Karkoff 2020: a new APT34 espionage operation involves Lebanon Government
Karkoff
2020-02-13QianxinQi Anxin Threat Intelligence Center
APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020-01-01SecureworksSecureWorks
COBALT EDGEWATER
DNSpionage Karkoff DNSpionage
2019-11-09NSFOCUSMina Hao
APT34 Event Analysis Report
BONDUPDATER DNSpionage
2019-11-07Virus BulletinPaul Rascagnères, Warren Mercer
DNS on Fire
DNSpionage Sea Turtle
2019-11-07Virus BulletinPaul Rascagnères, Warren Mercer
DNS on FIre
DNSpionage Sea Turtle
2019-08-22CywareCyware
APT34: The Helix Kitten Cybercriminal Group Loves to Meow Middle Eastern and International Organizations
TwoFace BONDUPDATER POWRUNER QUADAGENT Helminth ISMAgent Karkoff LONGWATCH OopsIE PICKPOCKET RGDoor VALUEVAULT
2019-04-23TalosPaul Rascagnères, Warren Mercer
DNSpionage brings out the Karkoff
DNSpionage Karkoff DNSpionage
2019-04-23Marco Ramilli
APT34: webmask project
DNSpionage
2019-02-18KrebsOnSecurityBrian Krebs
A Deep Dive on the Recent Widespread DNS Hijacking Attacks
DNSpionage
2019-02-13US-CERTUS-CERT
Alert (AA19-024A): DNS Infrastructure Hijacking Campaign
DNSpionage
2019-01-25CrowdStrikeMatt Dahl
Widespread DNS Hijacking Activity Targets Multiple Sectors
DNSpionage
2019-01-10CERT-OPMDCERT-OPMD
[DNSPIONAGE] – Focus on internal actions
DNSpionage
2019-01-10FireEyeBen Read, Muks Hirani, Sarah Jones
Global DNS Hijacking Campaign: DNS Record Manipulation at Scale
DNSpionage DNSpionage
2019-01-09MandiantBen Read, Muks Hirani, Sarah Jones
Global DNS Hijacking Campaign: DNS Record Manipulation at Scale
DNSpionage Sea Turtle
2018-11-27Cisco TalosPaul Rascagnères, Warren Mercer
DNSpionage Campaign Targets Middle East
DNSpionage DNSpionage
2015-09-17F-SecureF-Secure Global
The Dukes: 7 Years Of Russian Cyber-Espionage
TwoFace BONDUPDATER DNSpionage

Credits: MISP Project