Iranian hacker group becomes first known APT to weaponize DNS-over-HTTPS (DoH)

Do you use split DNS i.e. all internal lookups use an internal-only server and external lookups are only allowed from a dedicated DNS server. It’s good practise to only allow port 53 out from that ‘external’ DNS. Likewise, do you allow TLS outbound on port 443? Here’s a reason to extend that split to include port 443…:

An Iranian hacking group known as Oilrig has become the first publicly known threat actor to incorporate the DNS-over-HTTPS (DoH) protocol in its attacks.

Speaking in a webinar last week, Vincente Diaz, a malware analyst for antivirus maker Kaspersky, said the change happened in May this year when Oilrig added a new tool to its hacking arsenal.

According to Diaz, Oilrig operators began using a new utility called DNSExfiltrator as part of their intrusions into hacked networks.

DNSExfiltrator is an open-source project available on GitHub that creates covert communication channels by funneling data and hiding it inside non-standard protocols.

As its name hints, the tool can transfer data between two points using classic DNS requests, but it can also use the newer DoH protocol.

Diaz said Oilrig, also known as APT34, has been using DNSExfiltrator to move data laterally across internal networks, and then exfiltrate it to an outside point.

[…]

Original article here