Quote:Cisco Talos discovered a new malware campaign targeting a commercial Lebanese airline company, as well as United Arab Emirates (UAE) and Lebanon government domains.

According to Cisco Talos' findings, the recently observed campaign could not be connected to other threat actors or attacks based on the used infrastructure and its Tactics, Techniques, and Procedures (TTP).

The actor was observed while using maliciously crafted Word and Excel documents powered by macros which would compromise targets visiting two fake job postings websites controlled by the attacker.

The documents used to infect targets drop a new remote administration tool which Cisco Talos named DNSpionage because of its capability of communicating with its masters using a DNS tunneling communication channel.

Moreover, after being dropped on the compromised machine, DNSpionage will use the Downloads folder as storage for tools and scripts it downloads from the command-and-control (C&C) server, while the Uploads directory is the temporary location for all exfiltrated data.