Iranian Hacker group: first APT to use DNS over HTTPS for Attacks

An Iranian cybercriminal group, also known as APT34, has been reported as the first-ever known group to use DNS over HTTPS protocol to exfiltrate data on compromised systems.

Vicente Diaz, a malware analyst for antivirus maker Kaspersky, spoke about the attacks at a webinar last week. He said that these types of attacks had been carried out in the past. The only difference is that they are now attacking using HTTPS. The group added a new tool in May. Now, it has become easier for the attackers to send this data over the network abruptly and more difficult for the operators to find this data in the traffic.

These types of attacks have been observed in European regions and on subdomains related to the COVID-19. It is easier to attack the victims using COVID subdomain, given the anxiety and fear the pandemic has created worldwide.

The group, named Oilrig, is functioning using a new utility called DNSExfiltrator for its hacking ventures. It is an open-source project which is available on GitHub. It creates covert communication channels. It does so by funneling data and then hiding it inside non-standard protocols.

DNSExfiltrator is capable of transferring data between two points using the classic DNS requests. It is also capable of handling the DoH protocol.

The group has been claimed to use DSPionage since 2018, a custom-built tool. It has a history of working with DNS-bases exfiltration techniques.

Oilrig is the first APT (Advanced Persistent Threats), which has deployed DoH, and it has done that for two main reasons: this is a new attack, so most systems are not equipped to deal with it, and it is encrypted by default which makes it untraceable.

In the same month, as Oilrig adapted the new technique, some other incidents involving Iranian hackers were reported. However, the linkage between these two is not clear. Nothing can be said confidently.