CyberWire Daily - Iran-linked Lyceum Group adds a new weapon to its arsenal. [Research Saturday]
Episode Date: August 6, 2022Deepen Desai from Zscaler's ThreatLabz joins Dave to discuss how APTs, like Lyceum Group, create tactics and malware to carry out attacks against their targets. The Lyceum group has been active since ...2017 and is a state-sponsored Iranian APT group. This group targets Middle Eastern organizations most notably in the energy and telecommunication sectors, and they rely heavily on .NET based malwares. Zscaler said in their research they "recently observed a new campaign where the Lyceum Group was utilizing a newly developed and customized .NET based malware targeting the Middle East by copying the underlying code from an open source tool." They go on to give an analysis explaining why the .NET based DNS backdoor is causing problems. The research can be found here: Lyceum .NET DNS Backdoor Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation
with researchers and analysts, tracking down the threats and vulnerabilities, solving some
of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
What the team noticed as part of the tracking activity was a new.NET-based malware
and the DNS backdoor component that we'll shortly talk about being used for espionage.
That's Deepan Desai. He's Chief Information Security Officer and VP of Security Research and Operations at Zscaler.
The research we're discussing today is titled Lyceum.net DNS Backdoor.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers by hiding your attack surface,
making apps and IPs invisible, eliminating lateral movement,
connecting users only to specific apps, not the entire
network, continuously verifying every request based on identity and context, simplifying
security management with AI-powered automation, and detecting threats using AI to analyze
over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with
Zscaler Zero Trust and AI. Learn more at zscaler.com slash security.
Well, let's walk through it together. Let's start at the beginning here.
I mean, how does someone find themselves victim of this?
How do they find their way in?
Right. So in this case, I mean, the group, the campaign that the team discovered was where the Lyceum threat actor was leveraging the military affairs as a team.
The victim threat actor was leveraging the military affairs as a theme.
Specifically, they were talking about Iran deploys drones to target internal threats and protect external interests. And that was the theme of the lore that was being used to get the victim to click on a link and get the infection chain started.
click on a link, and get the infection chain started.
There was a newly registered domain that they were leveraging.
As soon as the user clicks on that, provided that they fall for the theme,
a dropper disguised as a PDF gets downloaded, which further downloads the backdoor, which is the.NET DNS backdoor.
So just to be clear here, I mean, it starts off with a phishing email
with, let's say, sort of a subject-based lore,
and then we try to get them to click through, and then ultimately deploying that dropper.
Exactly. And we also saw another variant
of the chain, where instead of PDF, there was
an actual macro document.
But again, it starts with a phishing email containing a link talking about Iran drones.
So it could be that.
We also noticed another vendor talk about Russia, Ukraine, a theme being leveraged early
this year by the Lyceum group as well.
So it starts with that.
The link leads to the dropper payload,
which could be a PDF or a macro document.
And that's what leads to the final backdoor payload,
which is responsible for the espionage activity.
So let's talk about that backdoor payload.
What exactly goes into that?
What is it capable of?
Right, so what was interesting about this one was
when we looked at the payload,
it hit our cloud sandbox.
It was detonated.
We convicted it as malicious.
But when the team started analyzing it,
we noticed that the majority of the code
was picked up from the open source tool dig.net.
Dig.net is an open source tool
which is a partial implementation of the Linux dig command.
It's not complete implementation, it's a partial implementation,
but it does DNS resolving functions.
Dig is the domain information gropper tool
that's part of the Binds software suite.
But coming back to the point,
majority of the code base was this open source tool
and they customized it as part of this backdoor
to then leverage it to perform DNS hijacking, as well as DNS-based CNC activity.
So I suppose, I don't know, if we're being generous, we could say they're working smarter,
not harder. If we're not being generous, maybe a little laziness on their part?
Yeah, this is definitely smarter, right? Because it's an open source tool,
code bases, the majority of it is similar
to what the open source tool out there is doing.
The other smarter part over here is leveraging DNS as a channel.
So for those of you that don't know,
DNS hijacking is where they're able to manipulate
the DNS response queries
using an attacker-controlled DNS server.
A simple example, from a machine where this backdoor is already running,
if a user or when the malware seems to be going to apple.com,
it's actually not going to apple.com,
but to an attacker-controlled infrastructure.
So in the logs, it may appear that the request is going to Apple.com
or the query is for Apple.com, but it's being manipulated
using the attacker-controlled DNS server.
And the second aspect, Dave, if I may add, is we're using that same channel.
Now they're using the DNS text records
for command and control activity as well.
So what that means is the threat actor, in this case, the Lyceum group guys,
are able to send commands to the infected machine to perform things such as upload files,
download files, or any other commands.
And the command goes through the DNS channel as well,
so using the text records.
And then the A records are used for exfiltration,
which is the response to those commands.
So the attacker may execute a command like,
show me all the files that exist in certain directory.
The output of that will again go through the DNS channel A records
where it's all encoded and then go through the DNS channel, e-records, where it's all encoded
and then sent through the DNS channel.
So that helps hide what they're up to here, I suppose.
Is that an efficient way to do things,
or is the stealthiness more important than the efficiency here?
It is more towards the stealth part. They're trying to evade detection using this channel.
So it's more towards that than efficiency.
So what does it appear that they're after here?
This group is known to maintain
persistence in the victim environment.
And the goal is cyber espionage.
They're looking for very specific information, and that specific information then gets
relayed to the attacker.
In this case, I mean, they were using military affairs teams, so it's reasonable to assume
that some of the government sector organizations were being targeted. So in
one of the cases, it was the Iranian drone team. In the other case, as I mentioned,
it was Russia-Ukraine team where some of the other regions' government sector was being targeted.
And how are they maintaining persistence on the machines that they're able to infect here?
Yeah, so they will, once the user falls for the phishing email, right, and the link gets
downloaded, in case of PDF or the macro document, the malicious backdoor will get downloaded and it will use the startup option
to basically make sure every time the system reboots
the backdoor executes as part of it.
So they're able to maintain persistence
and stay under the radar
because the only communication that's going out
as a result of this backdoor,
as I mentioned,
is DNS protocols on the network layer as well.
You're not seeing some suspicious activity.
It's all DNS queries.
So does that mean that they're successful
in evading typical endpoint protection?
In many of the cases, yes.
They are able to do that.
It's not difficult to catch this,
but it's how they keep evolving.
In this case, you saw them
using an open source tool
and customizing it enough
to carry out their operation.
But that's the cat and mouse game
that security industry
on the endpoint side
have to play when they evolve certain things.
Endpoints at times fail.
Many of the cases, endpoints do end up detecting it hours or day after.
So what are your recommendations here,
in terms of folks best protecting themselves?
Yeah, in this case, the organization, it's critical that you are inspecting.
So there are two things.
One is the phishing part where user education is important.
Number two part is when the user ends up
clicking on any of these links.
You need to have that consistent inspection happening.
Whether the threat actor is using a TLS channel to download
that initial dropper and the backdoor or something else, the goal is to inspect and prevent that
initial payload from entering your endpoints or your environment. The second important piece over
here is, assume that your controls fail at that first stage.
You need to have, again, inspection for all ports and protocol in order to flag the CNC activity that we talked about as well.
In this case, it's using DNS as a channel for both command and control activity as well as data exfiltration. So the point is, have that post-infection activity getting detected and blocked,
have the data exfiltration channel getting detected and blocked as well.
How do you rank this threat group in terms of their sophistication?
So if you look at the payload, it was pretty basic.
I mean, I wouldn't, and honestly, that has been the case with many other groups.
But that's a tricky question, Dave.
Relative rank of the group compared to the others.
Right, right.
Because it's not necessarily, I mean, sometimes simpler can be effective, right?
Yeah, exactly.
Yeah, it was simple, but it was effective.
Our thanks to Deepan Desai from Zscaler for joining us.
The research is titled Lyceum.net DNS Backdoor.
We'll have a link in the show notes.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant. Our amazing CyberWire team is Rachel Gelfand, Liz Ervin, Elliot Peltzman, Trey Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week.