The Iranian APT hackers of the group known as "Oilrig", are the first to integrate the DNS-over-HTTPS (DoH) protocol into attacks their. Vincente Diaz, malware analyst at antivirus company Kaspersky, said in a webinar last week that this change was observed in May, when Oilrig added the DNS-over-HTTPS (DoH) protocol to its "arsenal" to step up its attacks.
According to Diaz, Iranian Oilrig APT hackers have begun using a new tool, the DNSExfiltrator, to infiltrate networks.The DNSExfiltrator is an open source project that is available on GitHub and creates secret communication channels, channeling data and hiding them in non-standard protocols. This tool can transfer data between two points using standard DNS requests, and it can also use the latest DoH protocol. In addition, Diaz mentioned that the Oilrig team, also known as APT34, uses DNSExfiltrator to transfer data to internal networks and then to an external point.
Oilrig is also likely to use DoH as a removal channel to avoid detecting or tracking its activities while transporting stolen data.
This is because the DoH protocol is an ideal removal channel for two reasons. First, is a new protocol that not all products can monitor security. Second, is encrypted by default, while DNS is plain text.
The fact that Oilrig was one of the first APT (Advanced Persistent Threats) groups - a term used to describe government hacking groups - that DoH incorporated in its attacks is not surprising. Historically, the team has dealt with DNS-based removal techniques. Before adopting the open source DNSExfiltrator toolkit in May, the team used a custom tool called DNSpionage at least from 2018, as Talos, NSFOCUS and Palo Alto Networks have pointed out in their relevant reports.
In addition, in the May campaign, Kaspersky noted that Oilrig removed data via DoH in domains related to its pandemic COVID-19. In the same month, Reuters reported one Phishing campaign orchestrated by unknown Iranian hackers targeting pharmaceutical giant employees Gilead, who had announced at the time that he was working on finding a cure and vaccine for COVID-19. However, it is not clear whether these are the same incidents. Previous reports have linked most Iranian APT groups to Islamic Revolutionary Guard Corps (IRGC), of its leading military entity Iran.
Oilrig is not only the first APT team to become known to use DoH, but also the first to do so in general. Godlua, a Lua-based Linux malware strain, was the first to use DoH as part of DDoS botnet in July 2019, according to a report by Netlab, which deals with network threats to the Chinese giant in the cyber security industry "Qihoo 360".