Iran-linked cyber-espionage group OilRig is making broad use of DNS tunneling across its tools portfolio, Palo Alto Networks security researchers reveal.
Active since at least 2014 and said to have ties with the Iranian government, the hacking group has been mainly targeting the financial, government, energy, telecoms, and chemical sectors in the Middle East.
Over the years, the group has relied on a variety of tools to conduct attacks, but many of their Trojans use DNS tunneling to communicate with the command and control (C&C) server, a clear indicator of this being their preferred communication method.
Analysis of the employed technique revealed that in all cases the subdomains contain a randomly generated value to avoid cached responses; an initial handshake is normally used to obtain a unique system identifier; A, AAAA, and TXT query types are employed (impacting the amount of data the C&C can transmit to the Trojan); and that all protocols generate a significant number of DNS queries.
The researchers also noticed that a hardcoded IP addresses is used to start and stop data transfers, and that sequence numbers are used when uploading data, so that the C&C can reconstruct it in the correct order.
OilRig has been employing DNS tunneling for C&C communication since at least 2016, with some of the group’s Trojans using it being Helminth, ISMAgent, ALMACommunicator, BONDUPDATER, and QUADAGENT.