From be9b4ff40f69abec33c1c7ee3a6422943b0dd766 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Thu, 29 Nov 2018 16:38:06 +0100
Subject: [PATCH] add DNSpionage cluster

---
 clusters/threat-actor.json | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 10db40c..33489c7 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -6028,7 +6028,17 @@
       },
       "uuid": "658314bc-3bb8-48d2-913a-c528607b75c8",
       "value": "INDRIK SPIDER"
+    },
+    {
+      "description": "Cisco Talos recently discovered a new campaign targeting Lebanon and the United Arab Emirates (UAE) affecting .gov domains, as well as a private Lebanese airline company. Based on our research, it's clear that this adversary spent time understanding the victims' network infrastructure in order to remain under the radar and act as inconspicuous as possible during their attacks.\nBased on this actor's infrastructure and TTPs, we haven't been able to connect them with any other campaign or actor that's been observed recently. This particular campaign utilizes two fake, malicious websites containing job postings that are used to compromise targets via malicious Microsoft Office documents with embedded macros. The malware utilized by this actor, which we are calling \"DNSpionage,\" supports HTTP and DNS communication with the attackers.\nIn a separate campaign, the attackers used the same IP to redirect the DNS of legitimate .gov and private company domains. During each DNS compromise, the actor carefully generated Let's Encrypt certificates for the redirected domains. These certificates provide X.509 certificates for TLS free of charge to the user. We don't know at this time if the DNS redirections were successful.\nIn this post, we will break down the attackers' methods and show how they used malicious documents to attempt to trick users into opening malicious websites that are disguised as \"help wanted\" sites for job seekers. Additionally, we will describe the malicious DNS redirection and the timeline of the events.",
+      "meta": {
+        "refs": [
+          "https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html"
+        ]
+      },
+      "uuid": "608a903a-8145-4fd1-84bc-235e278480bf",
+      "value": "DNSpionage"
     }
   ],
-  "version": 81
+  "version": 82
 }