Security News > 2022 > June > Iranian hackers target energy sector with new DNS backdoor
NET-based DNS backdoor to conduct attacks on companies in the energy and telecommunication sectors.
A recent analysis by Zscaler presents a new DNS backdoor based on the DIG.net open-source tool to carry out "DNS hijacking" attacks, execute commands, drop more payloads, and exfiltrate data.
DNS hijacking is a redirection attack that relies on DNS query manipulation to take a user who attempts to visit a legitimate site to a malicious clone hosted on a server under the threat actor's control.
If the target enables macros on their Microsoft Office to view the content, the DNS backdoor will be dropped directly onto the Startup folder for establishing persistence between reboots.
"The threat actors have customized and appended code that allows them to perform DNS queries for various records onto the custom DNS Server, parse the response of the query to execute system commands remotely, and upload/download files from the Command & Control server by leveraging the DNS protocol." - Zscaler.
The malware sets up the DNS hijacking server by acquiring the IP address of the "Cyberclub[.]one" domain and generates an MD5 based on the victim's username to serve as a unique victim ID. Apart from performing DNS hijacking attacks, the backdoor can also receive commands from the C2 to execute on the compromised machine.
News URL
Related news
- Iranian hackers charged for ‘hack-and-leak’ plot to influence election (source)
- North Korean Hackers Using New VeilShell Backdoor in Stealthy Cyber Attacks (source)
- Iranian hackers now exploit Windows flaw to elevate privileges (source)
- Iranian hackers act as brokers selling critical infrastructure access (source)
- Iranian Hackers Use "Dream Job" Lures to Deploy SnailResin Malware in Aerospace Attacks (source)
- Iranian Hackers Deploy WezRat Malware in Attacks Targeting Israeli Organizations (source)