The Iran-linked Lycaeum cyber espionage group, also known as Hexane or Spilrin, group is employing a new .NET-based DNS backdoor to target firms in the energy and telecommunication sectors.
Lyceum has previously targeted communication service vendors in the Middle East via DNS-tunneling backdoors.
According to analytics from Zscaler ThreatLabz researchers, the backdoor is based on a DIG.net open-source tool to launch "DNS hijacking" assaults – DNS query manipulation to redirect users to malicious clones of authentic sites – implement commands, drop payloads, and exfiltrate data.
Employs Word doc
The hackers target organizations via macro-laced Microsoft Documents downloaded from a domain named "news-spot[.]live," impersonating a legitimate site. The document is masked as a news report with an Iran Military affairs topic.
When a victim downloads the file from this site, it asks to enable the macro to view the content. After enabling macros, the DnsSystem.exe backdoor is the DNS backdoor is dropped directly onto the Startup folder for establishing persistence between reboots.
"The threat actors have customized and appended code that allows them to perform DNS queries for various records onto the custom DNS Server, parse the response of the query to execute system commands remotely, and upload/download files from the Command & Control server by leveraging the DNS protocol." - Zscaler researchers Niraj Shivtarkar and Avinash Kumar explained in a report published last week.
Initially, the malware sets up the DNS hijacking server by securing the IP address of the "cyberclub[.]one" domain and generates an MD5 based on the victim's username to serve as a unique victim ID.
Additionally, the malware is well trained to upload and download arbitrary files to and from the remote server as well as implement malicious system commands remotely on the exploited server.
Evolution of Lyceum
The Lyceum APT group was first spotted at the beginning of August 2019 attempting to secure access to the organization’s systems via password spraying or brute-force attacks.
Lyceum primarily focuses on cyber espionage, and this new stealthy and potent backdoor is evidence of its evolution in the field. The Iranian group is expected to continue participating in these data theft campaigns that often include multiple hacking groups from the country.
"APT threat actors are continuously evolving their tactics and malware to successfully carry out attacks against their targets," the researchers stated. "Attackers continuously embrace new anti-analysis tricks to evade security solutions; re-packaging of malware makes the static analysis even more challenging."