Recently, we had an incident response involving the malware DNSPIONAGE.

At CERT-OPMD, we thought it would be interesting to share our observations.

Mainly, we could observe quietly common actions and tools as described in infography below.


In this blogpost, we will not describe and analyse again the dropper, because Talos did a great job here : https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html

But we will focus in a way on what they could not have seen with their telemetry, and what we could have seen during our investigation.

The screenshot above is what we are talking about here.

Talos observed two domains during the analysis :

  • hr-suncor[.]com
  • hr-wipro[.]com

And they did obtained the “Suncor” dropper.

During investigation we were targeted by Wipro document (cf. screenshot below):

Some Google reverted search on image, shows us where the attackers get this image below (spoiler: on legit wipro.com website, see screenshot below).

Ok, so now we are aware that they wanted to do some really advanced spear phishing.

During our investigation, we had the chance to speak with very comprehensive users, who remembered weird things that happened to them.

He remembered he was speaking with a HR from Wipro on linkedin for few days before the attack.

We hid the identity of the linkedin account because we are assuming it’s a real person behind it, whom may have it’s account stolen. 

“Hopefully”, the users infected were technical IT guys, so it was easy to be understood by them while talking about “phishing”, “spear phishing via social media”, etc.

We hope these datas will help you to understand how DNSPIONAGE infects people

For more, click here.