0 %

Iranian Hackers Spotted Using a new DNS Hijacking Malware in Recent Attacks

June 13, 2022
DNS Hijacking Malware

The Iranian state-sponsored risk star tracked under the tag Lyceum has actually looked to utilizing a brand-new custom.NET-based backdoor in current projects routed versus the Center East.

” The brand-new malware is a.NET based DNS Backdoor which is a tailored variation of the open resource device ‘DIG.net,'” Zscaler ThreatLabz scientists Niraj Shivtarkar as well as Avinash Kumar said in a record released recently.

” The malware leverages a DNS assault strategy called ‘DNS Pirating’ in which an attacker-controlled DNS web server adjusts the action of DNS inquiries as well as settles them based on their destructive needs.”


DNS hijacking is a redirection attack in which DNS inquiries to real internet sites are obstructed to take an unwary customer to deceptive web pages under an opponent’s control. Unlike cache poisoning, DNS hijacking targets the DNS document of the site on the nameserver, as opposed to a resolver’s cache.

DNS Hijacking Malware

Lyceum, additionally referred to as Hexane, Spirlin, or Siamesekitten, is largely understood for its cyber assaults between East as well as Africa. Previously this year, Slovak cybersecurity company ESET connected its tasks to an additional risk star called OilRig (also known as APT34).

The most up to date infection chain includes making use of a macro-laced Microsoft Paper downloaded and install from a domain “news-spot[.] live,” posing a legitimate news report from Radio Free Europe/Radio Freedom regarding Iran’s drone strikes in December 2021.

DNS Hijacking Malware

Allowing the macro leads to the implementation of a harmful code that goes down the dental implant to the Windows Startup folder to develop determination as well as guarantee it immediately runs whenever the system is reactivated.


The.NET DNS backdoor, referred to as DnsSystem, is a remodelled version of the open-source DIG.net DNS resolver device, making it possible for the Lyceum star to analyze DNS feedbacks provided from the DNS web server (” cyberclub[.] one”) as well as perform its villainous objectives.

Along with abusing the DNS procedure for command-and-control (C2) interactions to escape discovery, the malware is geared up to submit as well as download and install approximate documents to as well as from the remote web server along with perform destructive system regulates from another location on the jeopardized host.

” suitable risk stars are constantly progressing their methods as well as malware to effectively perform assaults versus their targets,” the scientists claimed. “Attackers constantly accept brand-new anti-analysis methods to escape safety and security remedies; re-packaging of malware makes fixed evaluation much more difficult.”

Posted in SecurityTags:
Write a comment