The Iranian state-sponsored malicious attacker known as Lyceum has switched to deploying a new custom .NET-based backdoor in the latest campaigns targeting the Middle East. Zscaler ThreatLabz researchers Avinash Kumar and Niraj Shivtarkar said that the new malware is a .NET-based DNS Backdoor, a modified version of the open-source utility ‘DIG.net.’
“The malware leverages a DNS attack technique called ‘DNS Hijacking’ in which an attacker-controlled DNS server manipulates the response of DNS queries and resolves them as per their malicious requirements.”
DNS hijacking is a redirection attack in which DNS requests for legitimate domains are intercepted and used to redirect an unwary user to fake pages controlled by an adversary. DNS hijacking, unlike cache poisoning, attacks the website’s DNS record on the nameserver instead of the resolver’s cache.
Lyceum, aka Hexane, Spirlin, or Siamesekitten, is well known in the Middle East and Africa for its cyber-attacks. ESET, a Slovak cybersecurity firm, linked its operations to another threat actor known as OilRig (APT34) earlier this year. The most recent infection chain uses a macro-laced Microsoft Document obtained from the domain “news-spot[.]live” to impersonate a credible news report from Radio Free Europe/Radio Liberty regarding Iran’s drone strikes in December 2021.
When the macro is enabled, malicious code is executed, placing the implant in the Windows Startup folder for persistence and guaranteeing it runs every time the machine is restarted. DnsSystem is a rebuilt version of the open-source DIG.net DNS resolver utility that allows the Lyceum actor to read DNS replies produced by the DNS server (“cyberclub[.]one”) and carry out its malicious objectives.
In addition to evading detection by exploiting the DNS protocol for command-and-control (C2) communications, the malware may upload and download arbitrary files to and from the remote server, as well as remotely execute malicious system instructions on the vulnerable host. According to the researchers, APT threat actors are constantly upgrading their strategies and malware to successfully carry out cyberattacks on their targets.