The Iranian state-sponsored menace actor tracked below the moniker Lyceum has turned to utilizing a brand new customized .NET-based backdoor in current campaigns directed towards the Center East.
“The brand new malware is a .NET based mostly DNS Backdoor which is a custom-made model of the open supply instrument ‘DIG.internet,'” Zscaler ThreatLabz researchers Niraj Shivtarkar and Avinash Kumar mentioned in a report printed final week.
“The malware leverages a DNS assault method referred to as ‘DNS Hijacking’ through which an attacker-controlled DNS server manipulates the response of DNS queries and resolves them as per their malicious necessities.”
DNS hijacking is a redirection assault through which DNS queries to real web sites are intercepted to take an unsuspecting person to fraudulent pages below an adversary’s management. Not like cache poisoning, DNS hijacking targets the DNS file of the web site on the nameserver, quite than a resolver’s cache.
Lyceum, also referred to as Hexane, Spirlin, or Siamesekitten, is primarily recognized for its cyber assaults within the Center East and Africa. Earlier this 12 months, Slovak cybersecurity agency ESET tied its actions to a different menace actor referred to as OilRig (aka APT34).
The newest an infection chain includes using a macro-laced Microsoft Doc downloaded from a website named “news-spot[.]reside,” impersonating a respectable information report from Radio Free Europe/Radio Liberty about Iran’s drone strikes in December 2021.
Enabling the macro leads to the execution of a malicious code that drops the implant to the Home windows Startup folder to determine persistence and guarantee it robotically runs each time the system is restarted.
The .NET DNS backdoor, dubbed DnsSystem, is a reworked variant of the open-source DIG.internet DNS resolver instrument, enabling the Lyceum actor to parse DNS responses issued from the DNS server (“cyberclub[.]one”) and perform its nefarious targets.
Along with abusing the DNS protocol for command-and-control (C2) communications to evade detection, the malware is supplied to add and obtain arbitrary information to and from the distant server in addition to execute malicious system instructions remotely on the compromised host.
“APT menace actors are repeatedly evolving their ways and malware to efficiently perform assaults towards their targets,” the researchers mentioned. “Attackers repeatedly embrace new anti-analysis methods to evade safety options; re-packaging of malware makes static evaluation much more difficult.”