Hackers From Iran Seen Employing New DNS Hijacking Malware in Latest Cyberattacks 

Hackers From Iran Seen Employing New DNS Hijacking Malware in Latest Cyberattacks 

The Iranian state-sponsored malicious attacker known as Lyceum has switched to deploying a new custom .NET-based backdoor in the latest campaigns targeting the Middle East. Zscaler ThreatLabz researchers Avinash Kumar and Niraj Shivtarkar said that the new malware is a .NET-based DNS Backdoor, a modified version of the open-source utility ‘DIG.net.’ 

“The malware leverages a DNS attack technique called ‘DNS Hijacking’ in which an attacker-controlled DNS server manipulates the response of DNS queries and resolves them as per their malicious requirements.” 

DNS hijacking is a redirection attack in which DNS requests for legitimate domains are intercepted and used to redirect an unwary user to fake pages controlled by an adversary. DNS hijacking, unlike cache poisoning, attacks the website’s DNS record on the nameserver instead of the resolver’s cache. 

Lyceum, aka Hexane, Spirlin, or Siamesekitten, is well known in the Middle East and Africa for its cyber-attacks. ESET, a Slovak cybersecurity firm, linked its operations to another threat actor known as OilRig (APT34) earlier this year. The most recent infection chain uses a macro-laced Microsoft Document obtained from the domain “news-spot[.]live” to impersonate a credible news report from Radio Free Europe/Radio Liberty regarding Iran’s drone strikes in December 2021. 

When the macro is enabled, malicious code is executed, placing the implant in the Windows Startup folder for persistence and guaranteeing it runs every time the machine is restarted. DnsSystem is a rebuilt version of the open-source DIG.net DNS resolver utility that allows the Lyceum actor to read DNS replies produced by the DNS server (“cyberclub[.]one”) and carry out its malicious objectives. 

In addition to evading detection by exploiting the DNS protocol for command-and-control (C2) communications, the malware may upload and download arbitrary files to and from the remote server, as well as remotely execute malicious system instructions on the vulnerable host. According to the researchers, APT threat actors are constantly upgrading their strategies and malware to successfully carry out cyberattacks on their targets. 

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.

Share: