"Hackers From Iran Seen Employing New DNS Hijacking Malware in Latest Cyberattacks"
Lyceum, an Iranian Advanced Persistent Threat (APT) group, has switched to deploying a new custom .NET-based backdoor in recent attacks targeting the Middle East. According to Avinash Kumar and Niraj Shivtarkar of Zscaler ThreatLabz, the .NET-based DNS backdoor is a modified version of the open-source application 'DIG.net.' The malware employs a DNS attack technique known as 'DNS Hijacking,' which involves an attacker-controlled DNS server that manipulates and resolves DNS query responses. DNS hijacking is a redirection attack in which DNS requests for legitimate domains are intercepted and used to redirect a user to attacker-controlled fake pages. Unlike cache poisoning, DNS hijacking attacks the website's DNS record on the nameserver instead of the resolver's cache. This article continues to discuss the new DNS hijacking malware being used by Lyceum against targets in the Middle East, as well as the history of the APT group.