Security Experts:

Connect with us

Hi, what are you looking for?



Iranian Hackers Heavily Reliant on DNS Tunneling

Iran-linked cyber-espionage group OilRig is making broad use of DNS tunneling across its tools portfolio, Palo Alto Networks security researchers reveal.

Iran-linked cyber-espionage group OilRig is making broad use of DNS tunneling across its tools portfolio, Palo Alto Networks security researchers reveal.

Active since at least 2014 and said to have ties with the Iranian government, the hacking group has been mainly targeting the financial, government, energy, telecoms, and chemical sectors in the Middle East.

Over the years, the group has relied on a variety of tools to conduct attacks, but many of their Trojans use DNS tunneling to communicate with the command and control (C&C) server, a clear indicator of this being their preferred communication method.

Analysis of the employed technique revealed that in all cases the subdomains contain a randomly generated value to avoid cached responses; an initial handshake is normally used to obtain a unique system identifier; A, AAAA, and TXT query types are employed (impacting the amount of data the C&C can transmit to the Trojan); and that all protocols generate a significant number of DNS queries.

The researchers also noticed that a hardcoded IP addresses is used to start and stop data transfers, and that sequence numbers are used when uploading data, so that the C&C can reconstruct it in the correct order.

OilRig has been employing DNS tunneling for C&C communication since at least 2016, with some of the group’s Trojans using it being Helminth, ISMAgent, ALMACommunicator, BONDUPDATER, and QUADAGENT.

All of these tools leverage DNS queries to resolve specially crafted subdomains and send data to the C&C, but the protocols differ in many ways, the researchers say. The structure of the subdomains queried, of the data received by the Trojans, and of the subdomains used to transmit data is different.

Moreover, the encoding used to represent the data differs, the same as the manner in which the Trojans issue DNS queries, Palo Alto Networks reveals.

The different variants of Helminth observed over the years (portable and PowerShell) use the same DNS Type A, but the attackers can change the generated subdomains to make them visually different and avoid detection.

Used in various targeted attacks, ISMAgent uses the DnsQuery_A API function to issue DNS AAAA requests to resolve custom subdomains. The Trojan issues a beacon to inform the server it is ready to transmit data, and then sends the data encoded to the C&C.

OilRig was observed using two different variants of the ALMA Communicator as the payload, each employing a different domain structure. Differences between the two also include the information sent to the server and the formatting of the data within the DNS tunneling protocol.

The hacking group has used multiple variants of the BONDUPDATER tool in attacks since at least mid-2017, with the early samples employing DNS A queries using the “GetHostAddresses” method in the System.Net.Dns class, and the later one leveraging the System.Net.Sockets.UdpClient class’ raw sockets for both DNS A and TXT lookups.

The QUADAGENT Trojan uses AAAA queries to transmit and receive data via DNS tunneling, but a different method is used to issue queries depending on the Windows version.

“This threat group saw the benefits of using DNS tunneling, as DNS is almost universally allowed through security devices. One major drawback of using DNS tunneling is the high volume of DNS queries issued to transmit data back and forth between the tool and the C&C server, which may stand out to those monitoring DNS activity on their networks,” Palo Alto Networks concludes.

Related: Iran-Linked Hackers Use Just-in-Time Creation of Weaponized Attack Docs

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...