Wednesday, January 20, 07:01
Home security DNS-over-HTTPS (DoH) Protocol: The new "weapon" of Iranian APT hackers!

DNS-over-HTTPS (DoH) Protocol: The new "weapon" of Iranian APT hackers!

The Iranian APT hackers of the group known as "Oilrig", are the first to integrate the DNS-over-HTTPS (DoH) protocol into attacks their. Vincente Diaz, malware analyst at antivirus company "Kaspersky", said in a webinar last week that this change was observed in May, when Oilrig added the DNS-over-HTTPS (DoH) protocol to its "arsenal" to bolster its attacks.

According to Diaz, Iranian Oilrig APT hackers have begun using a new tool, the DNSExfiltrator, to infiltrate networks.The DNSExfiltrator is an open source project that is available on GitHub and creates secret communication channels, channeling data and hiding them in non-standard protocols. This tool can transfer data between two points using standard DNS requests, and it can also use the latest DoH protocol. In addition, Diaz mentioned that the Oilrig team, also known as APT34, uses DNSExfiltrator to transfer data to internal networks and then to an external point.

DNS-over-HTTPS (DoH) protocol

Oilrig is also likely to use DoH as a removal channel to avoid detecting or tracking its activities while transporting stolen data.
This is because the DoH protocol is an ideal removal channel for two reasons. First, is a new protocol that not all products can monitor security. Second, is encrypted by default, while DNS is plain text.

The fact that Oilrig was one of the first APT (Advanced Persistent Threats) groups - a term used to describe government hacking groups - that DoH incorporated in its attacks is not surprising. Historically, the team has dealt with DNS-based removal techniques. Before adopting the open source DNSExfiltrator toolkit in May, the team used a custom tool called DNSpionage at least from 2018, as Talos, NSFOCUS and Palo Alto Networks have pointed out in their relevant reports.

Iranian APT hackers

In addition, in the May campaign, Kaspersky noted that Oilrig removed data via DoH in domains related to its pandemic COVID-19. In the same month, Reuters reported one Phishing campaign orchestrated by unknown Iranian hackers targeting pharmaceutical giant employees Gilead, who had announced at the time that he was working on finding a cure and vaccine for COVID-19. However, it is not clear whether these are the same incidents. Previous reports have linked most Iranian APT groups to Islamic Revolutionary Guard Corps (IRGC), of its leading military entity Iran.

Islamic Revolutionary Guard Corps (IRGC) Iran

Oilrig is not only the first APT team to become known to use DoH, but also the first to do so in general. Godlua, a Lua-based Linux malware strain, was the first to use DoH as part of DDoS botnet in July 2019, according to a report by Netlab, which deals with network threats to the Chinese giant in the cybersecurity industry "Qihoo 360".


Please enter your comment!
Please enter your name here

Every accomplishment starts with the decision to try.



The creator of PUBG is planning an IPO worth $ 27,2 billion! Ο δημιουργός του PUBG, Kim Chang-han, σχεδιάζει IPO (Αρχική Δημόσια Προσφορά ή εισαγωγή στο χρηματιστήριο) η...

Slack: How to turn off automatic conversion to Emoji

Emoji are everywhere now. In many applications - such as Slack - you can not type a simple emoticon based on ...

Malware FreakOut: Infects "Linux hosts" that run vulnerable software

An active malicious campaign is currently targeting critical Linux devices running software. Its purpose is to infect ...

Facebook Messenger vs WhatsApp: Which is worse for privacy?

In recent days, WhatsApp has been at the center of discussions, due to issues that have arisen regarding the privacy of ...

Apple sued! They want to remove Telegram from the App Store

Although Telegram has become very popular in the world in recent days, it also receives a lot of negative reviews. A former ambassador of ...

VLC for macOS has been updated with full support for M1 Macs

VLC is one of the most popular media players and the macOS version is currently receiving a major update with full ...

Google Maps adds precise details to 4 city roadmaps

The Google Maps app received an update in August last year, which added more color to the physical maps to ...

Smartwatches may detect COVID-19 symptoms

Smartwatches and fitness wearables can play a valuable role in the early detection of COVID-19, according to some recent studies. Researchers from ...

The incidence of sextortion increased significantly during the pandemic period

With the outbreak of the COVID-19 pandemic, countries around the world have entered a lockdown regime, in an effort to ...

SpaceX launches the first Starlink satellite for 1

SpaceX will launch 60 satellites from the Kennedy Space Center in Florida on Wednesday. This will be the first launch of ...