13 June 2022

Iranian cyber snoops attack energy sector with new DNS backdoor


Iranian cyber snoops attack energy sector with new DNS backdoor

The Lyceum cyber espionage group, which is believed to be connected to the Iranian government, conducts attacks on companies in the energy and telecommunication sectors using a new DNS backdoor.

According to analytics from cloud security company Zscaler, this new backdoor is based on .NET platform. Using a customized version of the DIG.net open-source tool the backdoor carries out "DNS hijacking" attacks – DNS query manipulation to redirect users to malicious clones of legitimate sites – executes commands, drops payloads, and steals data.

The Lyceum APT created a fake news site which distributes Word document containing a malicious macro. This document pretends to be a news report with an Iran Military affairs topic. When the visitors download the file from this site, it asks them to enable macro to view the content. After enabling macros, the DnsSystem.exe backdoor is dropped in the Startup folder on victims’ machines for establishing persistence between reboots.

Hackers can perform DNS queries for various records on the custom DNS Server, parse the response of the query to execute system commands remotely, and upload/download files from the C2 server using the DNS protocol. The backdoor is able to receive commands from the C2 and execute them on the breached systems. It also can steal local files and transfer them to the C2 or download files from a remote resource and drop additional payloads.

The Lyceum APT is known for targeting oil and gas organizations and telecommunication providers in the Middle East. The first report about the group’s activity emerged at the beginning of August 2019. At the time, to gain initial access to organization’s systems the hackers used account credentials obtained via password spraying or brute-force attacks.

Back to the list

Latest Posts

Zero Day Initiative cuts some vulnerability disclosure timelines

Zero Day Initiative cuts some vulnerability disclosure timelines

The new approach is aimed at forcing vendors take a quicker action when it comes to ineffective patches.
17 August 2022
Ransomware gang target UK water supplier but send ransom demand to the wrong company

Ransomware gang target UK water supplier but send ransom demand to the wrong company

The threat actors claimed to have access to water treatment SCADA systems and “these systems which control chemicals in water.”
17 August 2022
Argentina's Judiciary of Cordoba targeted with ransomware

Argentina's Judiciary of Cordoba targeted with ransomware

The incident described as “worst attack on public institutions in history” impacted the agency’s website, digital services and databases.
16 August 2022