www.zscaler.com
Open in
urlscan Pro
2606:4700::6812:1d4a
Public Scan
URL:
https://www.zscaler.com/blogs/security-research/lyceum-net-dns-backdoor
Submission: On September 21 via api from DE — Scanned from DE
Submission: On September 21 via api from DE — Scanned from DE
Form analysis
3 forms found in the DOM<form class="topSearch_searchInputWrapper__n8dSG" __bizdiag="107944136" __biza="W___"><input type="text" name="query" class="topSearch_searchInput__E0Bk3" placeholder="What are you looking for?" aria-label="What are you looking for?"
aria-hidden="true" tabindex="-1" value=""></form>
<form class="marketoForm_root__Wkgni marketoForm_variant_cta_module__IwKzs" id="mktoForm_7971" style="opacity:0" __bizdiag="196539198" __biza="W___"></form>
<form class="marketoForm_root__Wkgni marketoForm_variant_footer__jwLCq footer-subscription" id="mktoForm_1944" style="opacity:0" __bizdiag="196360362" __biza="W___"></form>
Text Content
This site uses JavaScript to provide a number of functions, to use this site please enable JavaScript in your browser. OpenSearch CXO REvolutionariesCareersPartnersSupport ShowContact UsOptions Get in touch1-408-533-0288Chat with us ShowSign InOptions admin.zscaler.netadmin.zscalerone.netadmin.zscalertwo.netadmin.zscalerthree.netadmin.zscalerbeta.netadmin.zscloud.netZscaler Private Access Home The Zscaler ExperienceProducts & SolutionsPlatformResourcesCompany Request a demoopen search open navigation The Zscaler Experience Zscaler: A Leader in the 2023 Gartner® Magic Quadrant™ for Security Service Edge (SSE) Get the full report Your world, secured Experience the transformative power of zero trust. The Zscaler Difference The Zscaler Difference Experience the World’s Largest Security Cloud Customer Success Stories Analyst Recognition Machine Learning and AI at Zscaler Reduce Your Carbon Footprint Zero Trust Fundamentals Zero Trust Fundamentals What is Zero Trust? What Is Security Service Edge (SSE)? What Is Secure Access Service Edge (SASE)? What Is Zero Trust Network Access (ZTNA)? What Is Secure Web Gateway (SWG)? What Is Cloud Access Security Broker (CASB)? What Is Cloud Native Application Protection Platform (CNAPP)? Zero Trust Resources Products & Solutions Secure Your Users Provide users with seamless, secure, reliable access to applications and data. Secure Your Workloads Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud. Secure Your IoT and OT Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems. Products Products Transform your organization with 100% cloud native services Secure Internet Access (ZIA) Secure Private Access (ZPA) Data Protection (CASB/DLP) Digital Experience (ZDX) Posture Control Partner IntegrationsIndustry and Market Solutions Solution Areas Solution Areas Propel your business with zero trust solutions that secure and connect your resources Stop Cyberattacks Protect Data Zero Trust App Access VPN Alternative Accelerate M&A Integration Optimize Digital Experiences Zero Trust Branch Connectivity Build and Run Secure Cloud Apps Zero Trust Cloud Connectivity Zero Trust for IoT/OT Zero Trust for Private 5G Find a product or solution Platform Zero Trust Exchange Platform Learn how Zscaler delivers zero trust with a cloud native platform that is the world’s largest security cloud Zero Trust Exchange PlatformTitle Link Transform with Zero Trust Architecture Transform with Zero Trust Architecture Propel your transformation journey Secure Digital Transformation Network Transformation Application Transformation Security Transformation Secure Your Business Goals Secure Your Business Goals Achieve your business and IT initiatives Ensure Secure Business Continuity Accelerate M&A and Divestitures Recession-Proof Your Enterprise Secure Your Hybrid Workforce Download Zscaler Client Connectors Resources Learn, connect, and get support. Explore tools and resources to accelerate your transformation and secure your world Learn, connect, and get support.Title Link Amplifying the voices of real-world digital and zero trust pioneers Visit now Resource Center Resource Center Stay up to date on best practices Resource Library Blog Customer Success Stories Webinars & Demos Zpedia Events & Trainings Events & Trainings Find programs, certifications, and events Upcoming Events Zenith Live Zscaler Academy Interactive Zscaler Whiteboard Workshop Security Research & Services Security Research & Services Get research and insights at your fingertips ThreatLabz Analytics Tools Tools Tools designed for you Security Preview Security and Risk Assessment Security Advisory Updates Disclose a Vulnerability Executive Insights App Ransomware Protection ROI Calculator Community & Support Community & Support Connect and find support Customer Success Center Zenith Community CXO REvolutionaries Zscaler Help Portal Download Zscaler Client Connector Industry & Market Solutions Industry & Market Solutions See solutions for your industry and country Public Sector Healthcare Financial Services Education See all Resource Center Resource Center Stay up to date on best practices Resource Library Blog Customer Success Stories Webinars & Demos Zpedia Events & Trainings Events & Trainings Find programs, certifications, and events Upcoming Events Zenith Live Zscaler Academy Interactive Zscaler Whiteboard Workshop Security Research & Services Security Research & Services Get research and insights at your fingertips ThreatLabz Analytics Tools Tools Tools designed for you Security Preview Security and Risk Assessment Security Advisory Updates Disclose a Vulnerability Executive Insights App Ransomware Protection ROI Calculator Community & Support Community & Support Connect and find support Customer Success Center Zenith Community CXO REvolutionaries Zscaler Help Portal Download Zscaler Client Connector Industry & Market Solutions Industry & Market Solutions See solutions for your industry and country Public Sector Healthcare Financial Services Education See all Company About Zscaler Discover how it began and where it’s going Partners Meet our partners and explore system integrators and technology alliances News & Announcements Stay up to date with the latest news Leadership Team Meet our management team Partner Integrations Explore best-in-class partner integrations to help you accelerate digital transformation Investor Relations See news, stock information, and quarterly reports Environmental, Social & Governance Learn about our ESG approach Careers Join our mission Press Center Find everything you need to cover Zscaler Compliance Understand our adherence to rigorous standards Zenith Ventures Understand our adherence to rigorous standards ZSCALER BLOG Get the latest Zscaler blog updates in your inbox Subscribe Security Research LYCEUM .NET DNS BACKDOOR NIRAJ SHIVTARKAR, AVINASH KUMAR June 09, 2022 - 10 min read Security Insights Contents 1. Article 2. More blogs Copy URL Copy URL Active since 2017, Lyceum group is a state-sponsored Iranian APT group that is known for targeting Middle Eastern organizations in the energy and telecommunication sectors and mostly relying on .NET based malwares. Zscaler ThreatLabz recently observed a new campaign where the Lyceum Group was utilizing a newly developed and customized .NET based malware targeting the Middle East by copying the underlying code from an open source tool. KEY FEATURES OF THIS ATTACK: 1. The new malware is a .NET based DNS Backdoor which is a customized version of the open source tool “DIG.net” 2. The malware leverages a DNS attack technique called "DNS Hijacking" in which an attacker- controlled DNS server manipulates the response of DNS queries and resolve them as per their malicious requirements. 3. The malware employs the DNS protocol for command and control (C2) communication which increases stealth and keeps the malware communication probes under the radar to evade detection. 4. Comprises functionalities like Upload/Download Files and execution of system commands on the infected machine by abusing DNS records, including TXT records for incoming commands and A records for data exfiltration. DELIVERY MECHANISM During this campaign, the macro-enabled Word document (File name: ir_drones.docm) shown below is downloaded from the domain “http[:]//news-spot.live” disguising itself as a news report related to military affairs in Iran. The text of the document is copied from the following original report here: https[:]//www[.]rferl[.]org/a/iran-drone-program-threats-interests/31660048.html Fig 1. Attached Macro-enabled Word Document Once the user enables the macro content, the following AutoOpen() function is executed which increases picture brightness using “PictureFormat.Brightness = 0.5” revealing content with the headline, “Iran Deploys Drones To Target Internal Threat, Protect External Interests.” Fig 2. AutoOpen() function revealing content to lure the victims The threat actor then leverages the AutoClose() function to drop the DNS backdoor onto the system. Upon closing the document the AutoClose() function is executed, reading a PE file from the text box present on the 7th page of the word document and parsing it further into the required format as shown below with the “MZ” header as the initial two bytes of the byte stream. Fig 3. AutoClose() function reading the PE File This PE file is then further written into the Startup folder in order to maintain persistence via the macro code as shown below in the screenshot. With this tactic, whenever the system is restarted, the DNS Backdoor is executed. Fig 4. DNS Backdoor dropped in the Startup folder The dropped binary is a .NET based DNS Backdoor named “DnsSystem” which allows the threat actors to execute system commands remotely and upload/download data on the infected machine. Below, we analyze the dropped .NET based DNS Backdoor and its inner workings. LYCEUM .NET DNS BACKDOOR The Lyceum Group has developed a .NET based DNS Backdoor which has been widely used in the wild in their recent campaigns. As discussed earlier, the backdoor was dropped in the Startup folder of the infected system from a Macro Enabled Word document. md5: 8199f14502e80581000bd5b3bda250ee Filename: DnsSystem.exe ATTACK CHAIN ANALYSIS The .NET based DNS Backdoor is a customized version of the Open source tool DIG.net (DnsDig) found here: DNS.NET Resolver (C#) - CodeProject. DIG.net is an open source DNS Resolver which can be leveraged to perform DNS queries onto the DNS Server and then parse the response. The threat actors have customized and appended code that allows them to perform DNS queries for various records onto the custom DNS Server, parse the response of the query in order to execute system commands remotely, and upload/download files from the Command & Control server by leveraging the DNS protocol. Initially the malware sets up an attacker controlled DNS server by acquiring the IP Address of the domain name “cyberclub[.]one” = 85[.]206[.]175[.]199 using Dns.GetHostAddresses() for the DIG Resolver function, which in turn triggers an DNS request to cyberclub[.]one for resolving the IP address. Now this IP is associated as the custom attacker controlled DNS Server for all the further DNS queries initiated by the malware. Fig 5. Initialize Attacker-Controlled DNS Server Next, the Form Load function generates a unique BotID depending on the current Windows username. It converts the username into its MD5 equivalent using the CreateMD5() function, and parses the first 8 bytes of the MD5 as the BotID for the identification of the user and system infected by the malware. Fig 6. Generation of BotID using the Windows username Now, the backdoor needs to receive commands from the C2 server in order to perform tasks. The backdoor sends across an initial DNS query to “trailers.apple.com” wherein the domain name “trailers.apple.com” is concatenated with the previously generated BotID before initiation of the DNS request. The DNS query is then sent to the DNS server in order to fetch the “TXT” records for the provided domain name by passing three arguments to the BeginDigIt() function: * Name: Target Domain name - EF58DF5Ftrailers.apple.com * qType: Records to be queried - TXT * qClass: Dns class value - IN (default) Fig 7. Setup of DNS Query parameters before execution of BeginDigIt() Function The BeginDigIt function then executes the main DNS resolver function “DigIt.” This sends across the DNS query in order to fetch the DNS record for the provided target domain name to the DNS server, and parses the response as seen in the code snippet below. Fig 8. DNS Query DigIt Function Comparing the Digit Resolver Code DigIt() function strings with the Dig.Net tool output from the screenshot shown below provides us further assurance that the Dig.Net tool has been customized by the Lyceum Group to develop the following .Net based DNS backdoor. . Fig 9. Original Dig.net GUI Output The malware utilizes a DNS attack technique known as “DNS Hijacking” where in the DNS server is being controlled by the attackers which would allow them to manipulate the response to the DNS queries. Now let's analyze the DNS Hijacking routine below. As discussed earlier, the backdoor performs initial DNS queries in order to fetch the TXT records for the domain EF58DF5trailers.apple.com. EF58DF5 is the BotID generated based on the Windows user to receive commands from the C2 server. Fig 10. DNS query to attacker-controlled DNS server to fetch TXT records. As can be seen in the above screenshot, a DNS query is performed to fetch the TXT records for the domain name: EF58DF5trailers.apple.com to the DNS Server: 85[.]206[.]175[.]199 which is the attacker-controlled DNS server previously initialized. Here’s where the DNS hijacking happens: As the malware sends across a DNS query to fetch the TXT records to the attacker-controlled DNS server, the attacker controlled DNS server responds with an incorrect response consisting of the commands to be executed by the backdoor such as ipconfig,whoami,uploaddd etc as shown in the screenshot below. Fig 11. Ipconfig command returned as the TXT record from the attacker controlled DNS server Following is the DIG.Net DNS response received by the backdoor and then further parsed in order to execute commands on the infected machine. Fig 12. DIG.net output received by the backdoor The above screenshot consists of the DNS query performed to the attacker controlled DNS server along with the target domain name EF58DF5trailers.apple.com. The Answer section consists of the query response, which includes the target Domain name and the response to the TXT record with two values, “ipconfig” - command to be executed and “1291” - Communication ID Next, the Dig.net response is parsed using multiple pattern regex code routines which parse out the TXT record values—the aforementioned command and communication ID—from the complete response received by the malware. Fig 13. Parsing of TXT Records Next, depending on the command received in the TXT record from the C2 server, there are three functions which can be performed by the Lyceum backdoor: * Download Files - If the command received from the DNS query consists of a string: “downloaddd” it initiates the download routine and downloads the file from the URL using DownloadFileAsync(). The URL would be the first 11 bytes of the TXT record response value, and stores that downloaded file in the Downloads folder as shown below in the code snippet. This functionality can be leveraged to drop additional malware on the infected machine. Fig 14. Backdoor Download Routine * Upload Files - If the command received from the DNS query consists of a string: “uploaddd”, it uploads the local file on the disk using UploadFileAsync() function to an External URL after parsing the TXT record response value into two variables: uriString (external URL) and filename (Local File). This functionality can be leveraged to exfiltrate data. Fig 14. Backdoor Upload Routine * Command Execution - If none of the above strings match the TXT record response then the response is passed on to the Command execution routine. There, the response to the txt record is executed as a command on the infected machine using “cmd.exe /c <txt_record_response_command>” and the command output is sent across to the C2 server in the form of DNS A Records. Fig 15. Backdoor Command Execution Routine In this case, the TXT record response we received for the DNS query performed against the attacker controlled DNS server is “ipconfig”. This response initiates the Command execution routine of the backdoor and thus the command “ipconfig” would be executed on the infected machine - cmd.exe /c ipconfig Further, the command output is exfiltrated to the C2 server, encoded in Base64 and then concatenated with the Communication ID and the previously generated BotUID using “$” as the separator. Fig 16. Command Output exfiltration Pattern setup Data Exfil Pattern: [base64encoded_command_output]$[communication_id]$[Bot_ID] Once the command output is encoded in the above mentioned pattern, the DNS backdoor then sends across the output to the C2 server via DNS query in the form of A records in multiple blocks of queries, where the A record values consists of the encoded command output. Once the command output is transmitted completely, an “Enddd” command is sent across in a Base64-encoded data exfil pattern to notify the end of the command output as shown below in the screenshot. Fig 17. Exfiltration of Encoded Command Output via A records queries on the attacker controlled DNS server Decoded A Records: IPConfig Command Output - Encoded A record = ICAgSVB2NCBBZGRyZXNzLiAuIC4gLiAuIC4gLiAuIC4gLiAuIDogMTkyLjE2OC4.yLjEw$929$5686BB2F Decoded A record = IPv4 Address. . . . . . . . . . . : 192.168.2.10 $ ComID: 929 $ UID: 5686BB2F End Command - Encoded A record = RW5kZGQ=$1291$$EF58DF5F Decoded A record = Enddd $ ComID: 1291 $ UID: EF58DF5F Cloud Sandbox detection Fig 18: The Zscaler Cloud Sandbox successfully detected the malware. CONCLUSION APT threat actors are continuously evolving their tactics and malware to successfully carry out attacks against their targets. Attackers continuously embrace new anti-analysis tricks to evade security solutions; re-packaging of malware makes static analysis even more challenging. The Zscaler ThreatLabz team will continue to monitor these attacks to help keep our customers safe. MITRE ATT&CK mapping: T1059Command and Scripting InterpreterT1055Process InjectionT1562Disable or Modify ToolsT1010Application Window DiscoveryT1018Remote System DiscoveryT1057Process DiscoveryT1518Security Software DiscoveryT1071Application Layer Protocol IOC: Docm Hash: 13814a190f61b36aff24d6aa1de56fe2 Exe Hash: 8199f14502e80581000bd5b3bda250ee Domain and URL's: cyberclub[.]one hxxp://news-spot[.]live/Reports/1/?id=1111&pid=a52 hxxp://news-spot[.]live/Reports/1/?id=1111&pid=a28 hxxp://news-spot[.]live/Reports/1/?id=1111&pid=a40 hxxp://news-spot[.]live/Reports/1/45/DnsSystem[.]exe ABOUT THREATLABZ ThreatLabz is the security research arm of Zscaler. This world-class team is responsible for hunting new threats and ensuring that the thousands of organizations using the global Zscaler platform are always protected. In addition to malware research and behavioral analysis, team members are involved in the research and development of new prototype modules for advanced threat protection on the Zscaler platform, and regularly conduct internal security audits to ensure that Zscaler products and infrastructure meet security compliance standards. ThreatLabz regularly publishes in-depth analyses of new and emerging threats on its portal, research.zscaler.com. Stay updated on ThreatLabz research by subscribing to our Trust Issues newsletter today. EXPLORE MORE ZSCALER BLOGS Agniane Stealer: Dark Web’s Crypto Threat Read Post The Impact of the SEC’s New Cybersecurity Policies Read Post Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519) Read Post The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region Read Post 01 / 02 Go to next slideGo to previous slide GET THE LATEST ZSCALER BLOG UPDATES IN YOUR INBOX By submitting the form, you are agreeing to our privacy policy. THE ZSCALER EXPERIENCE Learn about: Your world, secured.Zero TrustSecurity Service Edge (SSE)Secure Access Service Edge (SASE)Zero Trust Network Access (ZTNA)Secure Web Gateway (SWG)Cloud Access Security Broker (CASB)Cloud Native Application Protection Platform (CNAPP) PRODUCTS & SOLUTIONS Secure Your Users Secure Your Workloads Secure Your IoT and OT Secure Internet Access (ZIA) Secure Private Access (ZPA) Digital Experience (ZDX) Posture Control Industry & Market Solutions Partner Integrations Zscaler Client Connector PLATFORM Zero Trust Exchange Platform Secure Digital Transformation Application Transformation Network Transformation Security Transformation RESOURCES Resource Library Security Preview Security & Risk Assessment Internet Threat Exposure Analysis ThreatLabz Analytics & Insights Upcoming Events Blog Zscaler Academy CXO Revolutionaries Zpedia Ransomware Protection ROI Calculator POPULAR LINKS Pricing & Plans About Zscaler Leadership Team Career Opportunities Find or Become a Partner Customer Success Center Investor Relations Press Center News & Announcements ESG Compliance Contact Zscaler Home English EnglishFrançaisDeutschItaliano日本Castellano - MexicoCastellano - España Zscaler is universally recognized as the leader in zero trust. Leveraging the largest security cloud on the planet, Zscaler anticipates, secures, and simplifies the experience of doing business for the world's most established companies. English EnglishFrançaisDeutschItaliano日本Castellano - MexicoCastellano - España Visit us on FacebookLinkedinFollow us on TwitterSubscribe our Youtube Channel SitemapPrivacyLegalSecurity © 2023 Zscaler, Inc. All rights reserved. Zscaler™ and other trademarks listed at zscaler.com/legal/trademarks are either (i) registered trademarks or service marks or (ii) trademarks or service marks of Zscaler, Inc. in the United States and/or other countries. Any other trademarks are the properties of their respective owners. Zscaler uses cookies to personalize content and ads, to provide social media features and to analyze our traffic. We also share information about your use of our site with our social media, advertising and analytics partners.Please review our Cookies Policy for more information. Cookies Settings Accept Cookies