The Lyceum cyber espionage group, which is believed to be connected to the Iranian government, conducts attacks on companies in the energy and telecommunication sectors using a new DNS backdoor.

According to analytics from cloud security company Zscaler, this new backdoor is based on .NET platform. Using a customized version of the DIG.net open-source tool the backdoor carries out "DNS hijacking" attacks – DNS query manipulation to redirect users to malicious clones of legitimate sites – executes commands, drops payloads, and steals data.

The Lyceum APT created a fake news site which distributes Word document containing a malicious macro. This document pretends to be a news report with an Iran Military affairs topic. When the visitors download the file from this site, it asks them to enable macro to view the content. After enabling macros, the DnsSystem.exe backdoor is dropped in the Startup folder on victims’ machines for establishing persistence between reboots.

Hackers can perform DNS queries for various records on the custom DNS Server, parse the response of the query to execute system commands remotely, and upload/download files from the C2 server using the DNS protocol. The backdoor is able to receive commands from the C2 and execute them on the breached systems. It also can steal local files and transfer them to the C2 or download files from a remote resource and drop additional payloads.

The Lyceum APT is known for targeting oil and gas organizations and telecommunication providers in the Middle East. The first report about the group’s activity emerged at the beginning of August 2019. At the time, to gain initial access to organization’s systems the hackers used account credentials obtained via password spraying or brute-force attacks.