Iran APT34 poisoned DOH for exploit

An Iranian hacking group known as Oilrig has become the first publicly known threat actor to incorporate the DNS-over-HTTPS (DoH) protocol in its attacks.

Oilrig operators began using a new utility called DNSExfiltrator as part of their intrusions into hacked networks.

DNSExfiltrator is an open-source project available on GitHub that creates covert communication channels by funneling data and hiding it inside non-standard protocols.

As its name hints, the tool can transfer data between two points using classic DNS requests, but it can also use the newer DoH protocol.

Oilrig, also known as APT34, has been using DNSExfiltrator to move data laterally across internal networks, and then exfiltrate it to an outside point.

Oilrig is most likely using DoH as an exfiltration channel to avoid having its activities detected or monitored while moving stolen data.

This is because the DoH protocol is currently an ideal exfiltration channel for two primary reasons. First, it’s a new protocol that not all security products are capable of monitoring. Second, it’s encrypted by default, while DNS is cleartext.

Historically, the group has dabbled with DNS-based exfiltration techniques. Before adopting the open-source DNSExfiltrator toolkit in May, the group had been using a custom-built tool named DNSpionage since at least 2018, per reports by Talos, NSFOCUS, and Palo Alto Networks.

A spear-phishing campaign orchestrated by unidentified Iranian hackers, who targeted the staff pharma giant Gilead, which at the time announced it began working on a treatment for the COVID-19 virus. It is, however, unclear if these are the same incidents.

Previous reporting has linked most Iranian APTs as working as members or working as contractors for the Islamic Revolutionary Guard Corps, Iran’s top military entity.