DNSpionage malware targets websites in Lebanon and the United Arab Emirates

Cisco’s Talos Intelligence Group unveiled a new espionage campaign targeting government and private domains in Lebanon and the United Arab Emirates (UAE). The malware, dubbed ‘DNSpionage’ by Cisco Talos, supports HTTP and DNS communication with the attackers. The targeted operation hinged on two different campaigns hosted on the same server: 1) Circulating fake job websites which run malicious code when downloaded, and 2) Redirecting .gov domains administered by the Lebanese Ministry of Finance, Middle Eastern Airlines, and the UAE’s Telecommunications Regulation Authority (TRA). According to Warren Mercer and Paul Rascagneres at Cisco Talos, the attackers targeted email and VPN traffic to collect email usernames, passwords, and VPN credentials. Additionally, both campaigns were run by the same actor, but the location and motivation of the actors were not identified.