Iranian APT hacker groups maintain ongoing access to the targeted network rather than trying to get in and out as quickly as possible.

Making the headline

OilRig, also known as APT34, was spotted using DNS-over-HTTPS (DoH) to silently exfiltrate data from hacked networks.
  • According to the Kaspersky researchers, in May 2020, OilRig operators began using a new utility called DNSExfiltrator to move data laterally across internal networks, and subsequently exfiltrate it to an outside point.
  • The DNSExfiltrator toolkit can transfer data between two points using classic DNS requests, but it can also use the newer DoH protocol.

The first one to do so

OilRig has become the first publicly reported APT group to incorporate the DoH protocol in its attacks.
  • The DoH protocol is an ideal exfiltration channel. It is a new protocol that not all security products are capable of monitoring. It is, furthermore, encrypted by default, while plain DNS is cleartext.
  • This tool is used by OilRig probably as an exfiltration channel, to avoid detection and tracking of its activities while transferring moving stolen data.

The chronicles of OilRig with DNS

Historically, the OilRig group has dabbled with DNS-based exfiltration techniques to secure its activities.
  • Just a few days ago in Aug, OilRig was observed targeting a Middle Eastern telecom company using the RDAT tool.
  • In early-March 2020, an updated variant of the Karkoff implant, linked to the OilRig group, was found using a compromised Microsoft Exchange Server belonging to a Lebanon government entity.
  • In late-January,a Kuwait-based organization’s webpage was used as a bait for a watering hole attack in the xHunt campaign, in which infrastructure related to OilRig group was used.

Concluding notes

APT34 is already known for using a wide range of attack tools and techniques, including KEYPUNCH (a keylogging tool), CANDYKING (desktop screenshot capturing), POWRUNER (backdoor), and BONDUPDATER (domain generation algorithm functionality), among others. The inclusion of tools such as DNSExfiltrator enhances its stealth capabilities, thus making it a more ferocious threat.
Cyware Publisher