Zerosecurity
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Data Breaches
  • Crypto
  • Privacy
  • Downloads
    • Malwarebytes
    • Exploits
    • Paper Downloads
    • Software & Service Reviews
No Result
View All Result
SUBSCRIBE
Zerosecurity
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Data Breaches
  • Crypto
  • Privacy
  • Downloads
    • Malwarebytes
    • Exploits
    • Paper Downloads
    • Software & Service Reviews
No Result
View All Result
Zerosecurity
No Result
View All Result
Home Malware

State-sponsored Iranian Hackers utilize .NET DNS Backdoor in new Attack

Kyle by Kyle
June 12, 2022
in Malware, Security
0
Lycaeum APT DNS hijacking backdoor
129
SHARES
1.3k
VIEWS
Share on FacebookShare on Twitter

An Advanced Persistent Threat (APT) hacking group based out of Iran going by the name Lycaeum has been seen using a .NET-based DNS backdoor to target organizations within the telecommunication and energy sectors Zscaler released in their report.

You might also like

BreachForums Owner Arrested and Charged

Netwire RAT seized by FBI and other worldwide police agencies

The Emotet botnet returns and is sending a slew of malicious emails

The APT group has been active since 2017 and has been known for targeting middle eastern organizations. But this group is now utilizing customized .NET-based malware, written in C#,  which utilizes copied code from a popular open-source tool.

The code was ripped from DIG.net which is a tool made for carrying out DNS hijacking attacks, as well as executing commands, dropping payloads, and snooping on data.

Key attack features:

  1. The new malware is a .NET-based DNS Backdoor which is basically a customized version of the open-source tool “DIG.net”.
  2. The malware leverages a DNS attack technique known as “DNS Hijacking” in which an attacker-controlled DNS server manipulates the response of DNS queries and resolves them as per their malicious requirements.
  3. The malware employs the DNS protocol for command and control (C2) communication which increases stealth and keeps the malware communication probes under the radar to evade detection.
  4. The technique allows for Uploading/Downloading files and execution of system commands on the infected machine by abusing DNS records, including TXT records for incoming commands and A records for data exfiltration.

Basically, the threat actors are able to manipulate DNS queries to redirect users to a clone of a website under the assailant’s control. Any info entered on this cloned site such as usernames and passwords will then be shown to the attackers.

One Word doc

The attack begins, like many we see today, with a malicious Microsoft Word doc containing a macro downloaded from a fake news website “http[:]//news-spot.live”.

Lycaeum .NET DNS backdoor
Malicious Microsoft Word macro, source – Zscaler

When the user enables the macro, the DNS backdoor is dropped to the user’s startup folder which is a technique utilized to start the malicious backdoor on every system startup.

.NET DNS backdoor startup folder
.NET DNS backdoor dropped to the startup folder, source Zscaler

A look at the new DNS Backdoor

The DNS backdoor is believed to be developed by the Lyceum Group. It has been widely used in their recent attack campaigns. As mentioned above, the backdoor is dropped and lives in the Startup folder of the infected system.

The backdoor’s executable name is set to “DnsSystem.exe” and the MD5 hash: 8199f14502e80581000bd5b3bda250ee.

“The threat actors have customized and appended code that allows them to perform DNS queries for various records onto the custom DNS Server, parse the response of the query to execute system commands remotely, and upload/download files from the Command & Control server by leveraging the DNS protocol.” – Zscaler

The malware begins the DNS hijacking process by grabbing the IP address from a DNS site “http://cyberclub[.]one” and then generates a unique victim ID based on an MD5 hash generated from the victim’s Windows username.

DNS Malware Unique ID
How the malware generates a unique ID and resolves the DNS of cyberclub[.]one, source – Zscaler
The backdoor is also able to receive commands from the command and control server (C2) to execute on the victim’s computer. The responses from these commands are generated as TXT records and run through the Windows command prompt which is sent back to the attackers as a DNS A Record.

Backdoor command execution routine
The backdoor’s command execution routine, source – Zscaler

Who is the Lyceum APT group?

Lyceum is a team of hackers working on cyber espionage, and this new unique backdoor technique certainly is the mark of their progression in this field.

The Iranian hackers are anticipated to carry on engaging in these types of attack campaigns and are often involved with numerous threat groups from the country.

These APT threat actors are making a constant effort to evolve their tactics and strive to stay under the radar as long as possible. Despite how revolutionary this new backdoor technique is, there is still a need to enable macros within Word itself, which is an action that should rarely be taken.

Source: Zscaler Insights and Research
Tags: backdoordnshackersIranState-Sponsored
Share33Tweet20
Kyle

Kyle

Co-owner, writer, and editor at ZeroSecurity. Security, Blockchain, and SEO enthusiast. "Formal education will make you a living; self-education will make you a fortune."

Recommended For You

BreachForums Owner Arrested and Charged

by Paul Anderson
March 17, 2023
0
BreachForums Owner Arrested and Charged

On Wednesday afternoon, federal agents arrested a man in Peekskill, New York, for allegedly running a dark web data breach site known as "BreachForums." The suspect, Conor Brian...

Read more

Netwire RAT seized by FBI and other worldwide police agencies

by Christi Rogalski
March 16, 2023
0
Netwire RAT seized by FBI and other worldwide police agencies

The FBI, in partnership with several police agencies worldwide, has carried out an international law enforcement operation resulting in the arrest of a suspected administrator of the NetWire...

Read more

The Emotet botnet returns and is sending a slew of malicious emails

by Kyle
March 14, 2023
0
The Emotet botnet returns and is sending a slew of malicious emails

The notorious Emotet botnet, considered one of the biggest threats to internet security, has resurfaced after a prolonged hiatus, armed with new tactics. The botnet's trademark strategy of...

Read more

Update-resistant malware infects SonicWall security appliances

by Paul Anderson
March 12, 2023
0
Update-resistant malware infects SonicWall security appliances

Researchers have discovered that threat actors linked to the Chinese government are using malware to infect SonicWall's Secure Mobile Access 100, a popular security appliance, which remains active...

Read more

Stolen credit card market BidenCash leaks over 2 million credit cards

by Paul Anderson
March 3, 2023
0
Stolen credit card market BidenCash leaks over 2 million credit cards

BidenCash, a marketplace that focuses on carding, has leaked a database of 2,165,700 credit and debit cards to celebrate its first anniversary. Instead of keeping the leak a...

Read more
Next Post
Aurora Labs awards $6 Million dollar bug bounty

$6 million Rewarded by Aurora Labs to Hacker who saved 70,000 ETH

Related News

BreachForums Owner Arrested and Charged

BreachForums Owner Arrested and Charged

March 17, 2023
ChipMixer platform tied to crypto laundering scheme – seized by authorities

ChipMixer platform tied to crypto laundering scheme – seized by authorities

March 17, 2023
NSA intercepting U.S. Routers

NSA intercepting U.S. Routers

June 6, 2014 - Updated on March 17, 2023
Zerosecurity

We cover the latest in Information Security & Blockchain news, as well as threat trends targeting both sectors.

Categories

  • Crypto
  • Data Breaches
  • DotNet Framework
  • Downloads
  • Exploits
  • Exploits
  • Information
  • Legal
  • Malware
  • Malware Analysis
  • Mobile Security
  • Paper Downloads
  • Piracy
  • Privacy
  • Programming
  • Public
  • Security
  • Security
  • Software & Service Reviews
  • Technology News
  • Tools
  • Tutorials
  • Video Tutorials
  • Whitepapers
  • Zero Security
  • Contact Us
  • List of our Writers

© 2022 ZeroSecurity, All Rights Reserved.

No Result
View All Result
  • Home
  • Security
  • Exploits
  • Data Breaches
  • Malware
  • Privacy
  • Mobile Security
  • Tools
  • Contact Us
  • Privacy Policy

© 2022 ZeroSecurity, All Rights Reserved.