The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Lyceum .NET DNS Backdoor “DnsSystem”

Jun 24, 2022 2:22:18 PM / by PolySwarm Tech Team

lyceum_Blog

Executive Summary

Zscaler recently reported on a new .NET DNS backdoor “DnsSystem” used by the threat actor group known as Lyceum. It is primarily used to target entities in the Middle East.

Key Takeaways

  • Iranian threat actor group Lyceum is using the “DnsSystem” .NET DNS backdoor to target entities in the Middle East.
  • The malware is based on the legitimate DIG.net tool.
  • The malware is delivered via a maldoc.
  • The malware leverages DNS hijacking.
What is .NET DNS Backdoor “DnsSystem”?

Zscaler recently investigated a campaign in which Lyceum used a new .NET DNS backdoor known as “DnsSystem”. The backdoor is a customized version of the open-source tool DIG.net (DnsDig). DIG.net is a legitimate open-source DNS resolver used to perform DNS queries on a DNS server to parse the response. The threat actors have modified the code, allowing them to perform DNS queries against the custom DNS server, parse the response to execute commands remotely, and upload and download files from the C2. The malware uses TXT records for incoming commands and A records for data exfiltration.


The .NET DNS backdoor is delivered via a macro-enabled malicious Word document masquerading as a news report on military affairs. The file was downloaded from http://news-spot[.]live. After the victim enables the macro, an AutoOpen() function executes, increasing picture brightness using “PictureFormat.Brightness = 0.5.” This reveals content with the headline, “Iran Deploys Drones To Target Internal Threat, Protect External Interests.”

The threat actor then uses the AutoClose() function to drop the backdoor on the system. When the document is closed, the AutoClose() function is executed, reading a PE file from one of the text boxes in the document. This file is written to the Startup folder to allow the malware to maintain persistence. This ensures the backdoor is executed whenever the system restarts. The dropped binary is “DnsSystem”, the .NET DNS backdoor.

The malware uses DNS hijacking. In DNS hijacking, a threat actor-controlled DNS server manipulates responses to DNS queries and resolves them as the threat actor chooses. To evade detection, the “DnsSystem” backdoor employs the DNS protocol for C2.

Who is Lyceum?

Lyceum, also known as Hexane, Spirlin, and Siamese Kitten,, is an Iranian threat actor group active since at least 2017. The group typically targets energy and telecommunications organizations in the Middle East and Africa. Their TTPs include supply chain attacks, Shark, Milan, heavy use of .NET based malware, DanBot, C++ backdoors, and a PowerShell script .

IOCs

PolySwarm has multiple samples of Lyceum .NET DNS Backdoor “DnsSystem”.

221292a9f77f1a16fa0a7ed41b0eedbd312475dd9a5104c7923ed7889ea0f292

ba73116c7cf6faf3aa97b497cf7472b2a115a3b5ad7ad85f7919ff81a1ff2b9a

You can use the following CLI command to search for all Lyceum .NET DNS Backdoor samples in our portal:

$ polyswarm link list -f DnsSystem


Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports

Topics: Threat Bulletin, Lyceum, Hexane, Siamese Kitten, DnsSystem, .NET DNS Backdoor

PolySwarm Tech Team

Written by PolySwarm Tech Team

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More