Executive Summary
Zscaler recently reported on a new .NET DNS backdoor “DnsSystem” used by the threat actor group known as Lyceum. It is primarily used to target entities in the Middle East.
Key Takeaways
The .NET DNS backdoor is delivered via a macro-enabled malicious Word document masquerading as a news report on military affairs. The file was downloaded from http://news-spot[.]live. After the victim enables the macro, an AutoOpen() function executes, increasing picture brightness using “PictureFormat.Brightness = 0.5.” This reveals content with the headline, “Iran Deploys Drones To Target Internal Threat, Protect External Interests.”
The threat actor then uses the AutoClose() function to drop the backdoor on the system. When the document is closed, the AutoClose() function is executed, reading a PE file from one of the text boxes in the document. This file is written to the Startup folder to allow the malware to maintain persistence. This ensures the backdoor is executed whenever the system restarts. The dropped binary is “DnsSystem”, the .NET DNS backdoor.
The malware uses DNS hijacking. In DNS hijacking, a threat actor-controlled DNS server manipulates responses to DNS queries and resolves them as the threat actor chooses. To evade detection, the “DnsSystem” backdoor employs the DNS protocol for C2.
Who is Lyceum?
Lyceum, also known as Hexane, Spirlin, and Siamese Kitten,, is an Iranian threat actor group active since at least 2017. The group typically targets energy and telecommunications organizations in the Middle East and Africa. Their TTPs include supply chain attacks, Shark, Milan, heavy use of .NET based malware, DanBot, C++ backdoors, and a PowerShell script .
IOCs
PolySwarm has multiple samples of Lyceum .NET DNS Backdoor “DnsSystem”.
221292a9f77f1a16fa0a7ed41b0eedbd312475dd9a5104c7923ed7889ea0f292
ba73116c7cf6faf3aa97b497cf7472b2a115a3b5ad7ad85f7919ff81a1ff2b9a
You can use the following CLI command to search for all Lyceum .NET DNS Backdoor samples in our portal:
$ polyswarm link list -f DnsSystem
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports