Iran-linked Lyceum APT adds a new .NET DNS Backdoor to its arsenal

Pierluigi Paganini June 11, 2022

Iran-linked Lyceum APT group uses a new .NET-based DNS backdoor to target organizations in the energy and telecommunication sectors.

The Iran-linked Lyceum APT group, aka Hexane or Spilrin, used a new .NET-based DNS backdoor in a campaign aimed at companies in the energy and telecommunication sectors, ZScaler researchers warn.

The activity of the Lyceum APT group was first documented earlier in August 2019 by researchers at ICS security firm Dragos which tracked it as Hexane.

Dragos reported that Hexane was focused on organizations in the oil and gas industry and telecommunication providers.

According to Dragos, the Hexane group has been active since at least the middle of 2018, it intensified its activity in early 2019 with an escalation of tensions within the Middle East.

Zscaler ThreatLabz researchers recently uncovered a new campaign where the APT group was employing a new .NET-based backdoor targeting the Middle East. The DNS backdoor borrows the code from an open-source tool named, it was used to perform “DNS hijacking.”

“The malware leverages a DNS attack technique called “DNS Hijacking” in which an attacker- controlled DNS server manipulates the response of DNS queries and resolve them as per their malicious requirements.” reads the analysis published ZScaler. “The malware employs the DNS protocol for command and control (C2) communication which increases stealth and keeps the malware communication probes under the radar to evade detection.”

The backdoor supports multiple functionalities, including Upload/Download Files and execution of system commands on the infected machine by abusing DNS records, including TXT records for incoming commands and A records for data exfiltration. 

The attack chain observed by the researchers starts with spear-phishing messages using weaponized Word document disguised as a news report related to military affairs in Iran.

DNS hijacking is a redirection attack that relies on DNS query manipulation to take a user who attempts to visit a legitimate site to a malicious clone hosted on a server under the threat actor’s control. 

lyceum apt

Upon enabling macros to view the content, the DNS backdoor will be dropped onto the system when the user close the document. The attackers leveraged the AutoClose() function to drop the DNS backdoor onto the system. The AutoClose() function reads a PE file from the text box present on the 7th page of the document.

This PE file is dropped into the Startup folder to maintain persistence via the macro code, then upon restarting the system, the DNS Backdoor is executed. 

“The dropped binary is a .NET based DNS Backdoor named “DnsSystem” which allows the threat actors to execute system commands remotely and upload/download data on the infected machine.” continues the report. “Initially the malware sets up an attacker controlled DNS server by acquiring the IP Address of the domain name “cyberclub[.]one” = 85[.]206[.]175[.]199 using Dns.GetHostAddresses() for the DIG Resolver function, which in turn triggers an DNS request to cyberclub[.]one for resolving the IP address. Now this IP is associated as the custom attacker controlled DNS Server for all the further DNS queries initiated by the malware.”

APT groups continue to evolve their TTPs and embrace new anti-analysis and anti-evasion techniques.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit:

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Lyceum APT)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment