Pulse Detail — Threat Intelligence

PULSE NAME

DNSpionage Campaign Targets Middle East

WHITE DNSpionage AlienVault 2018-11-27 Modified: 2019-04-05

110

IOCs

HIGH VOLUME

Cisco Talos recently discovered a new campaign targeting Lebanon and the United Arab Emirates (UAE) affecting .gov domains, as well as a private Lebanese airline company. Based on our research, it Is clear that this adversary spent time understanding the victims AND network infrastructure in order to remain under the radar and act as inconspicuous as possible during their attacks.

Indicators of Compromise (110)

All hostname domain FileHash-SHA256 URL FileHash-SHA1

TYPE	INDICATOR	DESCRIPTION	CREATED
hostname	zto04.0ffice36o.com	—	2018-11-27
hostname	ns1.0ffice36o.com	—	2018-11-27
hostname	ns2.0ffice36o.com	—	2018-11-27
hostname	l5yf.0ffice36o.com	—	2018-11-27
domain	0ffice36o.com	—	2018-11-27
domain	hr-suncor.com	—	2018-11-27
domain	hr-wipro.com	—	2018-11-27
FileHash-SHA256	15fe5dbcd31be15f98aa9ba18755ee6264a26f5ea0877730b00ca0646d0f25fa	—	2018-11-27
FileHash-SHA256	2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec	—	2018-11-27
FileHash-SHA256	45a9edb24d4174592c69d9d37a534a518fbe2a88d3817fc0cc739e455883b8ff	—	2018-11-27
FileHash-SHA256	9ea577a4b3faaf04a3bddbfcb934c9752bed0d0fc579f2152751c5f6923f7e14	—	2018-11-27
FileHash-SHA256	e279985597af22dddf1217ee35a8cffb17d1418ae1b4bae2d9ea79c0c6963a85	—	2018-11-27
URL	http://microsoftonedrive.org/Client/Login?id=NV	—	2018-11-29
domain	dropboxserver.com	—	2018-11-29
domain	microsoftonedrive.org	—	2018-11-29
domain	officeupdates.net	—	2018-11-29
URL	http://hr-wipro.com/New-request.doc	—	2018-12-07
URL	http://hr-suncor.com/Suncor_employment_form.doc.	—	2018-12-07
domain	files-sender.com	—	2018-12-07
domain	perntho.com	—	2018-12-07
domain	tefanie.com	—	2018-12-07
URL	http://hr-wipro.com/	—	2019-01-12
URL	https://hr-wipro.com/	—	2019-01-12
hostname	33yggfduwmd4jnbeuvsbkzfugszvjjiq.0ffice36o.com	—	2019-01-12
hostname	5hnggfduwmrqgq4hy.0ffice36o.com	—	2019-01-12
hostname	af22gbduwaa.0ffice36o.com	—	2019-01-12
hostname	bloigbduwaa.0ffice36o.com	—	2019-01-12
hostname	ckr5gbduwaa.0ffice36o.com	—	2019-01-12
hostname	doh7gfduwmd4jnbeuvsbkzfugszvjjiq.0ffice36o.com	—	2019-01-12
hostname	elfigfduwmrqgq4hy.0ffice36o.com	—	2019-01-12
hostname	fj7kgfduwmd4jnbeuvsbkzfugszvjjiq.0ffice36o.com	—	2019-01-12
hostname	fk58gbduwaa.0ffice36o.com	—	2019-01-12
hostname	fljcgfduwmrqgq4hy.0ffice36o.com	—	2019-01-12
hostname	fulxgbduwaa.0ffice36o.com	—	2019-01-12
hostname	g6iogfduwobwgr6a.0ffice36o.com	—	2019-01-12
hostname	gk6uy.0ffice36o.com	—	2019-01-12
hostname	gk8dl.0ffice36o.com	—	2019-01-12
hostname	gka0c.0ffice36o.com	—	2019-01-12
hostname	gkblz.0ffice36o.com	—	2019-01-12
URL	http://33yggfduwmd4jnbeuvsbkzfugszvjjiq.0ffice36o.com/	—	2019-01-12
URL	http://5hnggfduwmrqgq4hy.0ffice36o.com/	—	2019-01-12
URL	http://af22gbduwaa.0ffice36o.com/	—	2019-01-12
URL	http://bloigbduwaa.0ffice36o.com/	—	2019-01-12
URL	http://ckr5gbduwaa.0ffice36o.com/	—	2019-01-12
URL	http://doh7gfduwmd4jnbeuvsbkzfugszvjjiq.0ffice36o.com/	—	2019-01-12
URL	http://elfigfduwmrqgq4hy.0ffice36o.com/	—	2019-01-12
URL	http://fj7kgfduwmd4jnbeuvsbkzfugszvjjiq.0ffice36o.com/	—	2019-01-12
URL	http://fk58gbduwaa.0ffice36o.com/	—	2019-01-12
URL	http://fljcgfduwmrqgq4hy.0ffice36o.com/	—	2019-01-12
URL	http://fulxgbduwaa.0ffice36o.com/	—	2019-01-12
URL	http://g6iogfduwobwgr6a.0ffice36o.com/	—	2019-01-12
URL	http://gk6uy.0ffice36o.com/	—	2019-01-12
URL	http://gk8dl.0ffice36o.com/	—	2019-01-12
URL	http://gka0c.0ffice36o.com/	—	2019-01-12
URL	http://gkblz.0ffice36o.com/	—	2019-01-12
URL	https://fulxgbduwaa.0ffice36o.com/	—	2019-01-12
URL	https://gk6uy.0ffice36o.com/	—	2019-01-12
URL	https://gk8dl.0ffice36o.com/	—	2019-01-12
URL	https://gkblz.0ffice36o.com/	—	2019-01-12
URL	http://hr-suncor.com/	—	2019-01-12
URL	http://hr-suncor.com/Suncor_employment_form.doc	—	2019-01-12
URL	https://hr-suncor.com/	—	2019-01-12
hostname	48rsgbduwga.microsoftonedrive.org	—	2019-01-12
hostname	536dgbduwiq.microsoftonedrive.org	—	2019-01-12
hostname	5df4gbduwuq.microsoftonedrive.org	—	2019-01-12
hostname	6vzygbduwxq.microsoftonedrive.org	—	2019-01-12
hostname	b2kxgbduwri.microsoftonedrive.org	—	2019-01-12
hostname	jzlanh5toitbumakspt2wzfbblmwswxownmtmlymkrijvppzzstwy8kptcgjzla.microsoftonedrive.org	—	2019-01-12
hostname	k1bfgbduxby.microsoftonedrive.org	—	2019-01-12
hostname	ki1kgbduw5i.microsoftonedrive.org	—	2019-01-12
hostname	otlogbduwfi.microsoftonedrive.org	—	2019-01-12
hostname	prk1gbduwuy.microsoftonedrive.org	—	2019-01-12
hostname	prtsgbduw3y.microsoftonedrive.org	—	2019-01-12
hostname	rdmxgbduw3i.microsoftonedrive.org	—	2019-01-12
hostname	t2a2gbduwfa.microsoftonedrive.org	—	2019-01-12
hostname	tpqjgbduwci.microsoftonedrive.org	—	2019-01-12
hostname	v3hugbduwji.microsoftonedrive.org	—	2019-01-12
hostname	wwawgbduw6a.microsoftonedrive.org	—	2019-01-12
hostname	xjrqgbduwli.microsoftonedrive.org	—	2019-01-12
hostname	zmargbduway.microsoftonedrive.org	—	2019-01-12
URL	http://48rsgbduwga.microsoftonedrive.org/	—	2019-01-12
URL	http://536dgbduwiq.microsoftonedrive.org/	—	2019-01-12
URL	http://5df4gbduwuq.microsoftonedrive.org/	—	2019-01-12
URL	http://6vzygbduwxq.microsoftonedrive.org/	—	2019-01-12
URL	http://b2kxgbduwri.microsoftonedrive.org/	—	2019-01-12
URL	http://jzlanh5toitbumakspt2wzfbblmwswxownmtmlymkrijvppzzstwy8kptcgjzla.microsoftonedrive.org/	—	2019-01-12
URL	http://k1bfgbduxby.microsoftonedrive.org/	—	2019-01-12
URL	http://ki1kgbduw5i.microsoftonedrive.org/	—	2019-01-12
URL	http://microsoftonedrive.org/Client/Upload	—	2019-01-12
URL	http://otlogbduwfi.microsoftonedrive.org/	—	2019-01-12
URL	http://prk1gbduwuy.microsoftonedrive.org/	—	2019-01-12
URL	http://prtsgbduw3y.microsoftonedrive.org/	—	2019-01-12
URL	http://rdmxgbduw3i.microsoftonedrive.org/	—	2019-01-12
URL	http://t2a2gbduwfa.microsoftonedrive.org/	—	2019-01-12
URL	http://tpqjgbduwci.microsoftonedrive.org/	—	2019-01-12
URL	http://v3hugbduwji.microsoftonedrive.org/	—	2019-01-12
URL	http://wwawgbduw6a.microsoftonedrive.org/	—	2019-01-12
URL	http://xjrqgbduwli.microsoftonedrive.org/	—	2019-01-12
URL	http://za1pgfduwmd4jm2uqvsfkmzeqs2kjblewvkb.microsoftonedrive.org/	—	2019-01-12
URL	http://zmargbduway.microsoftonedrive.org/	—	2019-01-12
hostname	za1pgfduwmd4jm2uqvsfkmzeqs2kjblewvkb.microsoftonedrive.org	—	2019-01-12
FileHash-SHA1	1022620da25db2497dc237adedb53755e6b859e3	—	2019-01-12
FileHash-SHA1	1c1fbda6ffc4d19be63a630bd2483f3d2f7aa1f5	—	2019-01-12
FileHash-SHA1	678ea06ebf058f33fffa1237d40b89b47f0e45e1	—	2019-01-12
FileHash-SHA1	9ea865e000e3e15cec15efc466801bb181ba40a1	—	2019-01-12
domain	cloudipnameserver.com	—	2019-02-02
domain	cloudnamedns.com	—	2019-02-02
domain	interaland.com	—	2019-02-02
domain	lcjcomputing.com	—	2019-02-02
domain	mmfasi.com	—	2019-02-02

References (4)

↗ https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html ↗ https://blog-cert.opmd.fr/dnspionage-weird-apt32-stuff/ ↗ https://www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/ ↗ https://www.crowdstrike.com/blog/widespread-dns-hijacking-activity-targets-multiple-sectors/