A newly uncovered Chinese threat actor has been scanning DNS networks around the world for years, sending vast numbers of queries via open DNS resolvers, according to network security company Infoblox.
Dubbed Muddling Meerkat (PDF) and appearing to be linked to the Chinese government, the threat actor can control the Great Firewall (GFW) of China, the nation’s system for censoring and manipulating internet traffic entering and exiting the country.
Active since October 2019, Muddling Meerkat’s operation is like Slow Drip (AKA random-prefix) attacks, which are essentially distributed denial-of-service (DDoS) attacks, but the threat actor’s goal does not appear to be DNS DDoSing and its motivation and goal remain unclear.
With the ability to evade network defenses and remain hidden, Muddling Meerkat may be pre-positioning itself for possible disruptive cyberattacks, similar to Volt Typhoon’s apparent intentions that the US warned about earlier this year.
Muddling Meerkat’s operations, Infoblox says, are complex, as the threat actor can manipulate DNS mail server (MX) records using fake responses injected through GFW, and has been observed using Chinese IPs to make DNS queries for random subdomains to IP addresses worldwide.
What makes the threat actor stand out is the use of false MX record responses from Chinese IP addresses, which include properly formatted MX resource records and overall are different from the standard behavior of the GFW.
China’s GFW is known for injecting false answers to DNS queries, instead of altering DNS responses directly, to poison the DNS cache of the requester. Furthermore, Beijing is also known for using a system called the Great Cannon (GC) to launch DDoS attacks.
“The MX answer records for Muddling Meerkat are only observable in data collected outside of the normal DNS resolution chain because the source of the response is not a DNS resolver but instead a random Chinese IP address,” Infoblox notes.
The MX records containing random hostnames were first seen in October 2019, but the number of MX resolutions started to increase in September 2023 and into 2024.
In addition to abusing MX records, Muddling Meerkat was seen using domains registered before the year 2000 to avoid DNS blocklists, selecting domains for abuse based on length and age rather than ownership, almost continuously running campaigns of one to three days, initiating DNS queries from dedicated servers, and limiting the size of operations to avoid detection.
“Every detail of Muddling Meerkat operations demonstrates sophistication and deep knowledge of DNS. The activity includes behavior not previously reported for the GFW, the nature of which ties the actor to Chinese nation state actors,” Infoblox notes.
For years, Infoblox tracked MX record responses from Chinese IP addresses on Muddling Meerkat target domains, which suggests a connection between the threat actor and the GFW operators, and discovered that the operations are performed in stages.
Network administrators are advised to identify and eliminate open resolvers in their networks, only use trusted domains for Active Directory or DNS search, implement DNS detection and response (DNSDR), and review the shared indicators of activity (they do not necessarily suggest compromise) and report identified Muddling Meerkat activity.
Related: Chinese Cyberspies Targeting ASEAN Entities
Related: Chinese APT Hacks 48 Government Organizations
Related: KeyTrap DNS Attack Could Disable Large Parts of Internet: Researchers
