SYMBOLCOMMON_NAMEaka. SYNONYMS

DNSpionage  (Back to overview)

aka: COBALT EDGEWATER

Cisco Talos recently discovered a new campaign targeting Lebanon and the United Arab Emirates (UAE) affecting .gov domains, as well as a private Lebanese airline company. Based on our research, it's clear that this adversary spent time understanding the victims' network infrastructure in order to remain under the radar and act as inconspicuous as possible during their attacks. Based on this actor's infrastructure and TTPs, we haven't been able to connect them with any other campaign or actor that's been observed recently. This particular campaign utilizes two fake, malicious websites containing job postings that are used to compromise targets via malicious Microsoft Office documents with embedded macros. The malware utilized by this actor, which we are calling "DNSpionage," supports HTTP and DNS communication with the attackers. In a separate campaign, the attackers used the same IP to redirect the DNS of legitimate .gov and private company domains. During each DNS compromise, the actor carefully generated Let's Encrypt certificates for the redirected domains. These certificates provide X.509 certificates for TLS free of charge to the user. We don't know at this time if the DNS redirections were successful. In this post, we will break down the attackers' methods and show how they used malicious documents to attempt to trick users into opening malicious websites that are disguised as "help wanted" sites for job seekers. Additionally, we will describe the malicious DNS redirection and the timeline of the events.


Associated Families
win.karkoff win.dnspionage

References
2023-02-02Trend MicroMohamed Fahmy, Sherif Magdy, Mahmoud Zohdy
@online{fahmy:20230202:new:7d997ea, author = {Mohamed Fahmy and Sherif Magdy and Mahmoud Zohdy}, title = {{New APT34 Malware Targets The Middle East}}, date = {2023-02-02}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/23/b/new-apt34-malware-targets-the-middle-east.html}, language = {English}, urldate = {2023-02-03} } New APT34 Malware Targets The Middle East
Karkoff RedCap Saitama Backdoor
2021-06-16VenustechADLab
@online{adlab:20210616:apt34:4697e7c, author = {ADLab}, title = {{APT34 organization latest in-depth analysis report on attack activities}}, date = {2021-06-16}, organization = {Venustech}, url = {https://mp.weixin.qq.com/s/o_EVjBVN2sQ1q7cl4rUXoQ}, language = {Chinese}, urldate = {2021-06-21} } APT34 organization latest in-depth analysis report on attack activities
Karkoff
2021-04-08CheckpointCheck Point Research
@online{research:20210408:irans:127f349, author = {Check Point Research}, title = {{Iran’s APT34 Returns with an Updated Arsenal}}, date = {2021-04-08}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/}, language = {English}, urldate = {2021-04-09} } Iran’s APT34 Returns with an Updated Arsenal
DNSpionage SideTwist TONEDEAF
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle
2020-03-02TelsyTelsy
@online{telsy:20200302:apt34:ded8bcd, author = {Telsy}, title = {{APT34 (aka OilRig, aka Helix Kitten) attacks Lebanon government entities with MailDropper implants}}, date = {2020-03-02}, organization = {Telsy}, url = {https://blog.telsy.com/apt34-aka-oilrig-attacks-lebanon-government-entities-with-maildropper-implant/}, language = {English}, urldate = {2020-03-03} } APT34 (aka OilRig, aka Helix Kitten) attacks Lebanon government entities with MailDropper implants
Karkoff
2020-03-02YoroiZLAB-Yoroi
@online{zlabyoroi:20200302:karkoff:a43fe0f, author = {ZLAB-Yoroi}, title = {{Karkoff 2020: a new APT34 espionage operation involves Lebanon Government}}, date = {2020-03-02}, organization = {Yoroi}, url = {https://blog.yoroi.company/research/karkoff-2020-a-new-apt34-espionage-operation-involves-lebanon-government/}, language = {English}, urldate = {2020-03-03} } Karkoff 2020: a new APT34 espionage operation involves Lebanon Government
Karkoff
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:cobalt:4d136fa, author = {SecureWorks}, title = {{COBALT EDGEWATER}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/cobalt-edgewater}, language = {English}, urldate = {2020-05-23} } COBALT EDGEWATER
DNSpionage Karkoff DNSpionage
2019-11-09NSFOCUSMina Hao
@online{hao:20191109:apt34:550c673, author = {Mina Hao}, title = {{APT34 Event Analysis Report}}, date = {2019-11-09}, organization = {NSFOCUS}, url = {https://nsfocusglobal.com/apt34-event-analysis-report/}, language = {English}, urldate = {2020-03-09} } APT34 Event Analysis Report
BONDUPDATER DNSpionage
2019-11-07Virus BulletinWarren Mercer, Paul Rascagnères
@online{mercer:20191107:dns:cd6b2d9, author = {Warren Mercer and Paul Rascagnères}, title = {{DNS on FIre}}, date = {2019-11-07}, organization = {Virus Bulletin}, url = {https://www.youtube.com/watch?v=ws1k44ZhJ3g}, language = {English}, urldate = {2023-08-11} } DNS on FIre
DNSpionage
2019-11-07Virus BulletinWarren Mercer, Paul Rascagnères
@techreport{mercer:20191107:dns:fd516d8, author = {Warren Mercer and Paul Rascagnères}, title = {{DNS on Fire}}, date = {2019-11-07}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/magazine/2019/VB2019-Mercer-Rascagneres.pdf}, language = {English}, urldate = {2023-08-11} } DNS on Fire
DNSpionage
2019-08-22CywareCyware
@online{cyware:20190822:apt34:3439fde, author = {Cyware}, title = {{APT34: The Helix Kitten Cybercriminal Group Loves to Meow Middle Eastern and International Organizations}}, date = {2019-08-22}, organization = {Cyware}, url = {https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae}, language = {English}, urldate = {2021-06-29} } APT34: The Helix Kitten Cybercriminal Group Loves to Meow Middle Eastern and International Organizations
TwoFace BONDUPDATER POWRUNER QUADAGENT Helminth ISMAgent Karkoff LONGWATCH OopsIE PICKPOCKET RGDoor VALUEVAULT
2019-04-23TalosWarren Mercer, Paul Rascagnères
@online{mercer:20190423:dnspionage:509e055, author = {Warren Mercer and Paul Rascagnères}, title = {{DNSpionage brings out the Karkoff}}, date = {2019-04-23}, organization = {Talos}, url = {https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html}, language = {English}, urldate = {2019-12-20} } DNSpionage brings out the Karkoff
DNSpionage Karkoff DNSpionage
2019-04-23Marco Ramilli
@online{ramilli:20190423:apt34:e1a7022, author = {Marco Ramilli}, title = {{APT34: webmask project}}, date = {2019-04-23}, url = {https://marcoramilli.com/2019/04/23/apt34-webmask-project/}, language = {English}, urldate = {2019-11-29} } APT34: webmask project
DNSpionage
2019-02-18KrebsOnSecurityBrian Krebs
@online{krebs:20190218:deep:0f75439, author = {Brian Krebs}, title = {{A Deep Dive on the Recent Widespread DNS Hijacking Attacks}}, date = {2019-02-18}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/tag/dnspionage/}, language = {English}, urldate = {2019-11-29} } A Deep Dive on the Recent Widespread DNS Hijacking Attacks
DNSpionage
2019-02-13US-CERTUS-CERT
@online{uscert:20190213:alert:6eb6b3e, author = {US-CERT}, title = {{Alert (AA19-024A): DNS Infrastructure Hijacking Campaign}}, date = {2019-02-13}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/alerts/AA19-024A}, language = {English}, urldate = {2020-01-09} } Alert (AA19-024A): DNS Infrastructure Hijacking Campaign
DNSpionage
2019-01-25CrowdStrikeMatt Dahl
@online{dahl:20190125:widespread:48d15a3, author = {Matt Dahl}, title = {{Widespread DNS Hijacking Activity Targets Multiple Sectors}}, date = {2019-01-25}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/widespread-dns-hijacking-activity-targets-multiple-sectors/}, language = {English}, urldate = {2019-12-20} } Widespread DNS Hijacking Activity Targets Multiple Sectors
DNSpionage
2019-01-10FireEyeMuks Hirani, Sarah Jones, Ben Read
@online{hirani:20190110:global:a53ec6a, author = {Muks Hirani and Sarah Jones and Ben Read}, title = {{Global DNS Hijacking Campaign: DNS Record Manipulation at Scale}}, date = {2019-01-10}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html}, language = {English}, urldate = {2019-12-20} } Global DNS Hijacking Campaign: DNS Record Manipulation at Scale
DNSpionage DNSpionage
2019-01-10CERT-OPMDCERT-OPMD
@online{certopmd:20190110:dnspionage:88c7100, author = {CERT-OPMD}, title = {{[DNSPIONAGE] – Focus on internal actions}}, date = {2019-01-10}, organization = {CERT-OPMD}, url = {https://blog-cert.opmd.fr/dnspionage-focus-on-internal-actions/}, language = {English}, urldate = {2020-01-09} } [DNSPIONAGE] – Focus on internal actions
DNSpionage
2019-01-09MandiantMuks Hirani, Sarah Jones, Ben Read
@online{hirani:20190109:global:a8835bb, author = {Muks Hirani and Sarah Jones and Ben Read}, title = {{Global DNS Hijacking Campaign: DNS Record Manipulation at Scale}}, date = {2019-01-09}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/global-dns-hijacking-campaign-dns-record-manipulation-at-scale}, language = {English}, urldate = {2023-08-11} } Global DNS Hijacking Campaign: DNS Record Manipulation at Scale
DNSpionage
2018-11-27Cisco TalosWarren Mercer, Paul Rascagnères
@online{mercer:20181127:dnspionage:7f0b0f3, author = {Warren Mercer and Paul Rascagnères}, title = {{DNSpionage Campaign Targets Middle East}}, date = {2018-11-27}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html}, language = {English}, urldate = {2020-05-18} } DNSpionage Campaign Targets Middle East
DNSpionage DNSpionage
2015-09-17F-SecureF-Secure Global
@online{global:20150917:dukes:5dc47f5, author = {F-Secure Global}, title = {{The Dukes: 7 Years Of Russian Cyber-Espionage}}, date = {2015-09-17}, organization = {F-Secure}, url = {https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/}, language = {English}, urldate = {2020-01-09} } The Dukes: 7 Years Of Russian Cyber-Espionage
TwoFace BONDUPDATER DNSpionage

Credits: MISP Project