An Iranian hacking group known as Oilrig has become the first publicly known threat actor to incorporate the DNS-over-HTTPS (DoH) protocol in its attacks.
Speaking in a webinar last week, Vincente Diaz, a malware analyst for antivirus maker Kaspersky, said the change happened in May this year when Oilrig added a new tool to its hacking arsenal.
According to Diaz, Oilrig operators began using a new utility called DNSExfiltrator as part of their intrusions into hacked networks. [...]
Diaz said Oilrig, also known as APT34, has been using DNSExfiltrator to move data laterally across internal networks, and then exfiltrate it to an outside point.
Oilrig is most likely using DoH as an exfiltration channel to avoid having its activities detected or monitored while moving stolen data.
This is because the DoH protocol is currently an ideal exfiltration channel for two primary reasons. First, it's a new protocol that not all security products are capable of monitoring. Second, it's encrypted by default, while DNS is cleartext. [...]
Kaspersky says Oilrig (APT34) group has been using DoH to silently exfiltrate data from hacked networks.