In recent operations aimed against the Middle East, the Iranian state-sponsored threat actor known as Lyceum has begun using a brand-new, custom.NET-based backdoor. These operations were previously monitored under the pseudonym “Lyceum”.
Zscaler ThreatLabz researchers Niraj Shivtarkar and Avinash Kumar noted in a study that was released the previous week that the new virus is a.NET based DNS Backdoor that is a modified version of the open source tool “DIG.net”.
According to the report, the virus makes use of a DNS attack method known as “DNS Hijacking”, in which an attacker-controlled DNS server manipulates the answer of DNS requests and resolves them according to their malicious agenda.
DNS Hijacking is a kind of redirection attack in which DNS requests to legitimate websites are intercepted in order to lead users who are unaware of the attack to counterfeit pages that are controlled by an adversary. DNS hijacking, as opposed to cache poisoning, affects the DNS record of the website that is stored on the nameserver rather than the cache stored by a resolver.
The most recent infection chain involves the use of a Microsoft Document that has malicious macros embedded in it and was downloaded from a website called “news-spot[.]live”. The document pretends to be a legitimate news report from Radio Free Europe/Radio Liberty and discusses Iran’s use of drones in December 2021.
The activation of the macro causes the execution of malicious code, which then places the implant in the Windows Startup folder. This helps the implant to become persistent and ensures that it will run automatically whenever the system is restarted.
The.NET DNS backdoor, also known as DnsSystem, is a redesigned form of the open-source DIG.net DNS resolver tool. This backdoor gives the Lyceum actor the ability to interpret DNS answers given by the DNS server (“cyberclub[.]one”) in order to achieve its malicious objectives.
It is possible for the malware to upload and download arbitrary files to and from the remote server, as well as execute malicious system commands remotely on the compromised host. In addition to that, the malware has the ability to avoid detection by abusing the DNS protocol for command-and-control (C2) communications.
The hacking group known as Lyceum, which stands behind the malware and is also known as Hexane, Spirlin, and Siamesekitten, is most well-known for its cyber attacks in Africa and the Middle East. In the beginning of this year, the Slovak cybersecurity company ESET connected its operations to a different threat actor known as OilRig (aka APT34).
According to the findings of the researchers, APT threat actors are always upgrading their strategies and malware in order to effectively carry out attacks on their targets. Attackers regularly adopt new anti-analysis tactics in order to circumvent security solutions and the re-packaging of malware makes static analysis even more difficult.