Iranian hackers use a new DNS hijacking technique to launch attacks

Posted on June 13, 2022 at 4:07 AM

Iranian hackers use a new DNS hijacking technique to launch attacks

Iranian hackers are using a new hijacking malware to conduct attacks. These attacks were detected in an Iranian state-sponsored threat actor group using a new backdoor to launch attack campaigns targeting the Middle East.

Over the past few years, cybercriminals have been using new attack techniques to reach their target groups. Hence, the cybersecurity community has intensified calls for individuals and institutions to enhance their security measures to guarantee that attacks will not go undetected.

Iranian hackers use DNS hijacking malware to launch attacks

In recent campaigns, an Iranian state-sponsored hacking group dubbed Lyceum has turned towards a new custom .NET backdoor. These campaigns have been directed to the Middle East.

Niraj Shivtarkar and Avinash Kumar at Zscaler ThreatLabz released a report last week saying that the new malware was a tailored version of the open-source tool known as “”

“The malware leverages a DNS attack technique called ‘DNS Hijacking‘ in which an attacker-controlled DNS server manipulates the response of DNS queries and resolves them as per their malicious requirements,” the researchers said.

DNS hijacking is one of the most popular attack techniques. It involves a redirection attack where DNS queries are intercepted before being sent to a genuine website. The attackers use the queries to redirect the unsuspecting user to malicious pages controlled by the attacker.

DNS hijacking is different from cache poisoning. Unlike cache poisoning, DNS hijacking involves targeting the DNS record of the website under the nameserver instead of using the resolver’s cache.

Lyceum is a state-sponsored hacking group in Iran. The group is also known by names like Hexane, Siamesekitten, and Spirlin. The hacking group usually directs its attacks to Africa and the Middle East.

The threat actor group does not always act alone. In the past, the group’s activities have been linked to other threat actors. At the beginning of the year, researchers with ESET, a cybersecurity firm based in Slovak, linked Lyceum’s activities to another threat actor known as OilRig or APT34.

In the latest attacks, the threat actor group duplicated a genuine website to target unsuspecting individuals. The infection shows that the attacker used a Microsoft document downloaded from the “news-spot[.]live domain. The website impersonated a genuine news report by Radio Free Europe or Radio Liberty. The news report mainly discussed drone strikes in Iran in December last year.

The attackers enabled the macro results by executing a malicious code that installed the implant on the Windows Startup folder. This is done to show persistence and ensure that the attacker’s goals are accomplished. It ensures that it runs automatically each time that the system is rebooted.

“The threat actors have customized and appended code that allows them to perform DNS queries for various records onto the custom DNS Server, parse the response of the query in order to execute system commands remotely, and upload/download files from the Command & Control server by leveraging the DNS protocol,” the announcement added.

Using a new malware

The .NET DNS backdoor is also known as the DnsSystem. It is a remodeled variant of, an open-source resolver tool. The backdoor allows the Lyceum actor to parse the DNS responses from the DNS server known as cyberclub[.]one. Once this happens, the threat actor can conduct an attack.

Lyceum is a persistent threat actor group, and the recent adoption of a new malware could only signify how far the threat actor group is willing to go to accomplish its objectives. Therefore, the recently discovered malware could just be the start of what the group is willing to do to accomplish its objectives.

In the recent attack, the threat actor group was also found to use techniques to help it avoid detection. The attackers abused the DNS protocol for command-and-control (C2) communications to hide their attacks.

The malware also contains features that allow it to upload and download arbitrary files to and from the remote server. It also serves other purposes, such as remotely executing malicious system commands on the compromised host. Therefore, the recent attack launched by the threat actor group shows an increased risk of persisting in these attacks.

“APT threat actors are continuously evolving their tactics and malware to successfully carry out attacks against their targets. Attackers continuously embrace new anti-analysis tricks to evade security solutions; re-packaging of malware makes static analysis even more challenging,” the researchers added.

Share this:

Related Stories:


Get the latest stories straight
into your inbox!


Discover more from KoDDoS Blog

Subscribe now to keep reading and get access to the full archive.

Continue reading