The Lyceum APT group from Iran is using a new .NET-based DNS backdoor to carry out its attacks. The attacks were aimed at firms belonging to the energy and telecommunication sectors in the Middle East.
Recent attacks with DNS backdoor
Zscaler has done an analysis of the recently observed DNS backdoor, which is based on an open-source tool, DIG[.]net. It is used to perform DNS hijacking, execute commands, drop additional payloads, and steal data.
- The attack starts with a Word document containing a malicious macro obtained from a website impersonating a news site. The file is presented as a news report with an Iranian military affairs topic.
- If the target enables macros on their Office to view the content, the DNS backdoor is dropped directly onto the Startup folder on their system for establishing persistence amid reboots.
Previously, Lyceum had targeted communication service providers in the Middle East with DNS-tunneling backdoors.
DNS backdoor
The DNS backdoor uses the filename DnsSystem[.]exe and the custom DIG.net version that is customized as per the requirements.
- It sets up the DNS hijacking server by obtaining the IP address of the cyberclub[.]one domain and creates an MD5 based on the victim's username that serves as a unique victim ID.
- Along with carrying out DNS hijacking attacks, the backdoor can obtain commands from the C2 to be executed on the infected machine. The responses are in the form of TXT records.
- Moreover, it can steal and send local files to the C2 or download files from a remote resource and drop more payloads.
Conclusion
Lyceum group focuses on cyber-espionage attacks, and the new DNS backdoor displays the group’s continuous evolution in the field. Further, the group is expected to continue its information-collection campaigns. Thus, organizations are suggested to encrypt important data with proper access controls and use threat intelligence solutions to stay protected.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/64ed_shutterstock_1974447050.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_413855248.jpg)
