Iranian hacker group becomes first known APT to weaponize DNS-over-HTTPS (DoH)

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
An Iranian hacking group known as Oilrig has become the first publicly known threat actor to incorporate the DNS-over-HTTPS (DoH) protocol in its attacks.

Speaking in a webinar last week, Vincente Diaz, a malware analyst for antivirus maker Kaspersky, said the change happened in May this year when Oilrig added a new tool to its hacking arsenal.

According to Diaz, Oilrig operators began using a new utility called DNSExfiltrator as part of their intrusions into hacked networks. [...]

Diaz said Oilrig, also known as APT34, has been using DNSExfiltrator to move data laterally across internal networks, and then exfiltrate it to an outside point.

Oilrig is most likely using DoH as an exfiltration channel to avoid having its activities detected or monitored while moving stolen data.

This is because the DoH protocol is currently an ideal exfiltration channel for two primary reasons. First, it's a new protocol that not all security products are capable of monitoring. Second, it's encrypted by default, while DNS is cleartext. [...]
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
Would the use of DNS-Over-TLS (DoT) be safer then?


For me I use VPNs so let the providers take safe care of my DNS queries
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top