A state-backed APT group from Iran, Lyceum, has been utilising [.]NET-based DNS backdoor in targeting firms from the telecom and energy industries. Also known by their other names, Hexane and Spilrin, the Lyceum APT group had a history of attacking communication service companies from the Middle East through DNS-tunneling backdoors.
From an analyst’s recent study on the group’s new attack vector, they have found a new DNS backdoor being utilised by Lyceum that is based on the DIG[.]net open-source tool to launch different attacks, including DNS hijacking, executing commands, dropping additional payloads, and amassing victims’ data.
Threat actors launch DNS hijacking attacks to redirect users who visit a legitimate website to an imitated version under a maliciously controlled server, where they could compromise any data entered by the victim.
The Lyceum APT begins by leveraging a Word file containing an infected macro downloaded from a fake news website.
Based on the analysis of the attack, the threat group disguised the malicious document as an alleged news report concerning Iran’s military activities. Once the victim activates macros on the downloaded MS Word file from the malicious website, the DNS backdoor will be injected and dropped on the computer’s startup folder, aiming to establish persistence despite the machine rebooting.
Furthermore, the Lyceum APT have configured code that lets them launch DNS queries for several records onto the DNS server, analyse the query’s response to perform commands remotely, and control files from the C2 server through the DNS protocol.
Receiving commands from the C2 server is also one of the vectors the Iranian group uses in their attacks, which is vital for the backdoor to be dropped on the compromised computer. Furthermore, the backdoor can collect local files and send them to the C2 server or move files from a remote source to drop more payloads.
The Lyceum APT introduced the new backdoor in their attacks, indicating their progress within the cybercrime landscape. However, despite this new vector being considered sophisticated, users must remember that the initial infection stage requires the macros on the Word file to be activated. Hence, users must always be wary of that factor, especially from files downloaded from suspicious websites.
