The Iranian state-sponsored threat actor tracked as Lyceum has turned to using a new .NET-based custom backdoor in recent campaigns directed against the Middle East.
“The new malware is a .NET-based DNS backdoor that is a customized version of the open-source tool ‘DIG.net’,” said Zscaler ThreatLabz researchers Niraj Shivtarkar and Avinash Kumar. said in a report released last week.
“The malware leverages a DNS attack technique called ‘DNS Hijacking’ in which an attacker-controlled DNS server manipulates the response of DNS queries and resolves them according to their malicious demands.”
DNS hijacking is a redirect attack in which DNS requests to genuine websites are intercepted to lead an unsuspecting user to fraudulent pages under the control of an adversary. Unlike cache poisoning, DNS hijacking targets the website’s DNS record on the nameserver, rather than a resolver’s cache.
Lyceum, also known as Hexane, Spirlin or Siamesekitten, is best known for its cyberattacks in the Middle East and Africa. Earlier this year, Slovakian cybersecurity firm ESET linked its activities to another threat actor called OilRig (aka APT34).
The latest chain of infection involves the use of a Microsoft document containing macros downloaded from a domain named “news-spot[.]to live”, pretending to be a legitimate reporting from Radio Free Europe/Radio Liberty on the Iranian drone strikes in December 2021.
Activating the macro leads to the execution of malicious code that deposits the implant on the Windows startup folder to establish persistence and ensure that it runs automatically on every system restart.
The .NET DNS backdoor, dubbed DnsSystem, is a reworked variant of the open-source DIG.net DNS resolution tool, allowing the Lyceum actor to analyze the DNS responses sent by the DNS server (“cyberclub[.]a”) and achieve his nefarious goals.
In addition to abusing the DNS protocol for command and control (C2) communications to evade detection, the malware is equipped to upload and download arbitrary files to and from the remote server, as well as execute malicious system commands remotely on the compromised host.
“APT threat actors are constantly evolving their tactics and malware to carry out attacks against their targets,” the researchers said. “Attackers are constantly adopting new anti-analysis tricks to evade security solutions; repackaging malware makes static analysis even more difficult.”