The hacking group behind the DNSpionage campaign have become more choosy in their targets and have released a new form of malware to further their goals.
DNSpionage, first discovered in late 2018 by Cisco Talos, utilizes fake websites and specializes in DNS tampering to redirect traffic from legitimate domains to malicious ones. The threat actors also make use of free Let’s Encrypt security certificates for redirected domains.
Past attacks have been detected against private Lebanese targets including an airline, alongside government domains used by Lebanon and the United Arab Emirates (UAE).
The group has now created a new remote administration tool that supports HTTP and DNS communication with their command-and-control (C2) server, according to a new Talos blog post published on Tuesday.