Iranian Hackers Heavily Reliant on DNS Tunneling

Iran-linked cyber-espionage group OilRig is making broad use of DNS tunneling across its tools portfolio, Palo Alto Networks security researchers reveal.

Active since at least 2014 and said to have ties with the Iranian government, the hacking group has been mainly targeting the financial, government, energy, telecoms, and chemical sectors in the Middle East.

Over the years, the group has relied on a variety of tools to conduct attacks, but many of their Trojans use DNS tunneling to communicate with the command and control (C&C) server, a clear indicator of this being their preferred communication method.

Analysis of the employed technique revealed that in all cases the subdomains contain a randomly generated value to avoid cached responses; an initial handshake is normally used to obtain a unique system identifier; A, AAAA, and TXT query types are employed (impacting the amount of data the C&C can transmit to the Trojan); and that all protocols generate a significant number of DNS queries.

The researchers also noticed that a hardcoded IP addresses is used to start and stop data transfers, and that sequence numbers are used when uploading data, so that the C&C can reconstruct it in the correct order.

OilRig has been employing DNS tunneling for C&C communication since at least 2016, with some of the group’s Trojans using it being Helminth, ISMAgent, ALMACommunicator, BONDUPDATER, and QUADAGENT.

All of these tools leverage DNS queries to resolve specially crafted subdomains and send data to the C&C, but the protocols differ in many ways, the researchers say. The structure of the subdomains queried, of the data received by the Trojans, and of the subdomains used to transmit data is different.

Moreover, the encoding used to represent the data differs, the same as the manner in which the Trojans issue DNS queries, Palo Alto Networks reveals.

The different variants of Helminth observed over the years (portable and PowerShell) use the same DNS Type A, but the attackers can change the generated subdomains to make them visually different and avoid detection.

Used in various targeted attacks, ISMAgent uses the DnsQuery_A API function to issue DNS AAAA requests to resolve custom subdomains. The Trojan issues a beacon to inform the server it is ready to transmit data, and then sends the data encoded to the C&C.

OilRig was observed using two different variants of the ALMA Communicator as the payload, each employing a different domain structure. Differences between the two also include the information sent to the server and the formatting of the data within the DNS tunneling protocol.

The hacking group has used multiple variants of the BONDUPDATER tool in attacks since at least mid-2017, with the early samples employing DNS A queries using the “GetHostAddresses” method in the System.Net.Dns class, and the later one leveraging the System.Net.Sockets.UdpClient class’ raw sockets for both DNS A and TXT lookups.

The QUADAGENT Trojan uses AAAA queries to transmit and receive data via DNS tunneling, but a different method is used to issue queries depending on the Windows version.

“This threat group saw the benefits of using DNS tunneling, as DNS is almost universally allowed through security devices. One major drawback of using DNS tunneling is the high volume of DNS queries issued to transmit data back and forth between the tool and the C&C server, which may stand out to those monitoring DNS activity on their networks,” Palo Alto Networks concludes.

Related: Iran-Linked Hackers Use Just-in-Time Creation of Weaponized Attack Docs