5 August 2020

Iranian APT Oilrig becomes the first group to weaponize DNS-over-HTTPS


Iranian APT Oilrig becomes the first group to weaponize DNS-over-HTTPS

Iranian cybercriminal group Oilrig (also known as APT34) became the first APT to use DNS-over-HTTPS (DoH) protocol in their attacks to exfiltrate data from compromised networks.

Vicente Diaz, a malware analyst for antivirus maker Kaspersky, told in a webinar the change happened in May this year when Oilrig added a new tool to its hacking arsenal. Diaz said Oilrig members have begun using the new DNSExfiltrator utility in their cyberattacks.

DNSExfiltrator is an open-source project available on GitHub that allows users to create covert communication channels by channeling data and hiding it in non-standard protocols. The tool can transfer data between two points using classic DNS requests, but it can also use the newer DoH protocol.

Oilrig uses DNSExfiltrator to move data laterally across internal networks, and then exfiltrate it to an outside point. Criminals allegedly use DoH as a leakage channel to avoid detection or monitoring activity when stolen data is moved.

Back to the list

Latest Posts

Healthcare provider UHS hit by a ransomware attack

Healthcare provider UHS hit by a ransomware attack

The cause of the incident is believed to be the Ryuk ransomware.
29 September 2020
Apple fixed four dangerous vulnerabilities in macOS

Apple fixed four dangerous vulnerabilities in macOS

Exploitation of some of the problems allows arbitrary code execution on the system.
28 September 2020
200,000 Businesses are exposed to MitM attacks

200,000 Businesses are exposed to MitM attacks

A successful attack could allow an attacker to present a valid SSL certificate and fraudulently take over a connection.
25 September 2020