Sunday, September 27, 11:37
Home security DNS-over-HTTPS (DoH) Protocol: The new "weapon" of Iranian APT hackers!

DNS-over-HTTPS (DoH) Protocol: The new "weapon" of Iranian APT hackers!

The Iranian APT hackers of the group known as "Oilrig", are the first to integrate the DNS-over-HTTPS (DoH) protocol into attacks their. Vincente Diaz, malware analyst at antivirus company Kaspersky, said in a webinar last week that this change was observed in May, when Oilrig added the DNS-over-HTTPS (DoH) protocol to its "arsenal" to step up its attacks.

According to Diaz, Iranian Oilrig APT hackers have begun using a new tool, the DNSExfiltrator, to infiltrate networks.The DNSExfiltrator is an open source project that is available on GitHub and creates secret communication channels, channeling data and hiding them in non-standard protocols. This tool can transfer data between two points using standard DNS requests, and it can also use the latest DoH protocol. In addition, Diaz mentioned that the Oilrig team, also known as APT34, uses DNSExfiltrator to transfer data to internal networks and then to an external point.

DNS-over-HTTPS (DoH) protocol

Oilrig is also likely to use DoH as a removal channel to avoid detecting or tracking its activities while transporting stolen data.
This is because the DoH protocol is an ideal removal channel for two reasons. First, is a new protocol that not all products can monitor security. Second, is encrypted by default, while DNS is plain text.

The fact that Oilrig was one of the first APT (Advanced Persistent Threats) groups - a term used to describe government hacking groups - that DoH incorporated in its attacks is not surprising. Historically, the team has dealt with DNS-based removal techniques. Before adopting the open source DNSExfiltrator toolkit in May, the team used a custom tool called DNSpionage at least from 2018, as Talos, NSFOCUS and Palo Alto Networks have pointed out in their relevant reports.

Iranian APT hackers

In addition, in the May campaign, Kaspersky noted that Oilrig removed data via DoH in domains related to its pandemic COVID-19. In the same month, Reuters reported one Phishing campaign orchestrated by unknown Iranian hackers targeting pharmaceutical giant employees Gilead, who had announced at the time that he was working on finding a cure and vaccine for COVID-19. However, it is not clear whether these are the same incidents. Previous reports have linked most Iranian APT groups to Islamic Revolutionary Guard Corps (IRGC), of its leading military entity Iran.

Islamic Revolutionary Guard Corps (IRGC) Iran

Oilrig is not only the first APT team to become known to use DoH, but also the first to do so in general. Godlua, a Lua-based Linux malware strain, was the first to use DoH as part of DDoS botnet in July 2019, according to a report by Netlab, which deals with network threats to the Chinese giant in the cyber security industry "Qihoo 360".


Please enter your comment!
Please enter your name here

Every accomplishment starts with the decision to try.


How to turn off private Wi-Fi MAC addresses

Apple has changed the way the iPhone and iPad connect to Wi-Fi networks starting with the iOS 14 and iPadOS 14 updates ....

Mac: See how to rename multiple files at once!

Many people have more difficulty renaming files on a Mac than renaming Windows. The Finder of ...

How can you control the performance of your Chromebook?

Many times users wonder about the performance of their computer and would like to be able to take a look at the system ...

How To Detect Hidden Surveillance Cameras With Your Phone

During our holidays or on business trips, we are forced to stay in hotels or Airbnb ....

How to play the hidden game of Android 11

Google usually includes the so-called "Easter Eggs" in every new version of Android that is released. And Android 11 is not ...

Ring: Amazon's new device is a drone with a security camera

Amazon is ready to launch a new Ring security camera mounted on top of a flying drone.

Software developers were very productive during the pandemic

The productivity of most software development teams increased during the Covid-19 pandemic crisis, according to a new study. But if you are ...

Cisco: 25 Serious Defects in IOS and IOS XE Software

Cisco has warned customers using IOS and ISO XE software to apply updates for 25 high-security vulnerabilities ...

The new Microsoft Edge feature will reduce memory and CPU usage

To improve memory and CPU usage on the Edge, Microsoft is developing a new feature called "Sleeping Tabs".

Microsoft: Removed 18 Azure AD apps controlled by Chinese hackers

Microsoft announced yesterday that it has removed 18 Azure Active Directory apps from the Azure portal, which were developed and used maliciously by ...