Iranian Lycaeum APT hacking group is using new .NET based DNS backdoor for conducting attacks on energy and telecommunication companies.
Moreover, Lycaeum APT is also known as Hexane or Spilrin, which targeted Middle East communication service providers via DNS – Tunneling backdoor.
Lycaeum is a hackers group which focuses on cyber infiltration and this new backdoor is the mark of their evolution in the field.
Additionally, recent analysis by Zscaler presented a new DNS backdoor based on the DIG.net open-source tool for carrying out hijacking smoothly.
However, DNS hijacking is a diversion attack which depends on DNS query manipulation.
And later it takes a user who tries to visit a legal site to a spiteful clone hosted on a server under the threat actor’s control.
Moreover, it will be directly shared to threat actors if any information enters a spiteful website.
Starts with word doc –
This attack begins with word doc including a malicious macro downloaded from a website pretending to be a news website.
The DNS backdoor will be dropped directly onto the Startup folder if the target allows macros in Microsoft Office to view documents for starting continuity between reboots.
What is the New DNS backdoor ?
It is a hijacking server which acquires the IP address of the “cyberclub[.]one” domain and develops an MD5 based on the victim’s username to serve as a unique victim ID.
However, DNS backdoor uses ‘DnsSystem.exe’ filename. It is also a personalized version of DIG.net.
The backdoor can receive command from C2 to accomplish on compromised machines whereas the responses has TXT form of record.
However, the commands are run through the cmd.exe tool and output is sent back to C2 as DNS record.
Moreover, the backdoor can remove local files to the C2 and can even download from remote source.
