September 30, 2023

APT group from Iran dubbed Lyceum , uses a new .NET-based DNS backdoor in a campaign aimed at companies in the energy and telecommunication sectors.

The Lyceum APT group campaign was first identified by researchers at ICS security firm Dragos which tracked it as Hexane which is active since 2018.

Advertisements

Researchers recently uncovered a new campaign where the APT group was employing .NET-based backdoor targeting the Middle East. The DNS backdoor borrows the code from an open-source tool named DIG.net, it was used to perform “DNS hijacking.”

The malware employs the DNS protocol for C2 communication which increases stealth and keeps the malware communication probes under the radar to evade detection.

The backdoor supports multiple functionalities, including Upload, Download Files and execution of system commands on the infected machine by abusing DNS records, including TXT records for incoming commands and A records for data exfiltration. 

The attack chain starts with spear-phishing messages using weaponized Word document disguised as a news report related to military affairs in Iran.

DNS hijacking is a redirection attack that relies on DNS query manipulation to take a user who attempts to visit a legitimate site to a malicious clone hosted on a server under the threat actor’s control. 

Advertisements

Upon enabling macros to view the content, the DNS backdoor will be dropped onto the system when the user close the document. The attackers leveraged the AutoClose() function to drop the DNS backdoor onto the system. The AutoClose() function reads a PE file from the text box present on the 7th page of the document.

This PE file is dropped into the Startup folder to maintain persistence via the macro code, then upon restarting the system, the DNS Backdoor is executed. 

APT threat actors are continuously evolving their tactics and malware to successfully carry out attacks against their targets. Attackers continuously embrace new anti-analysis tricks to evade security solutions; re-packaging of malware makes static analysis even more challenging.

Advertisements

This research was conducted by ZScaler Threat labs.

IOC:

Docm Hash:

13814a190f61b36aff24d6aa1de56fe2

8199f14502e80581000bd5b3bda250ee

 
Domain and URL’s:

cyberclub[.]one

hxxp://news-spot[.]live/Reports/1/?id=1111&pid=a52

hxxp://news-spot[.]live/Reports/1/?id=1111&pid=a28

hxxp://news-spot[.]live/Reports/1/?id=1111&pid=a40

hxxp://news-spot[.]live/Reports/1/45/DnsSystem[.]exe

Leave a Reply

%d bloggers like this: