Threat Research

Translating Saitama’s DNS tunneling messages

Securonix

Saitama is a backdoor that uses DNS tunneling to encapsulate its C2 messages, hiding commands within IPv4 addresses. The activity has been linked to APT34 and was observed in a phishing email targeting Jordan’s foreign ministry; Morphus Labs also released a translator tool to decode these DNS-based messages. #Saitama #DNSTunneling #APT34 #JordanForeignMinistry #joexpediagroup

Keypoints

  • Saitama uses DNS tunneling to carry its command and control (C2) messages, a technique aligned with MITRE ATT&CK T1071.004.
  • Rather than relying on TXT or other data-holding DNS records, Saitama encodes orders in the IPv4 addresses returned by the DNS server. “the orders are encapsulated in the IPV4 addresses themselves”
  • In the example, the command whoami is issued by encoding ASCII values into IP octets (e.g., 70.119.104.111 and 97.109.105.49).
  • The backdoor activity was observed in a phishing email targeting a Jordanian government official, attributed to the Iranian group APT34.
  • A public translator tool, Saitama Translator, was released to translate/decrypt DNS messages from the C2 (GitHub: morphuslabs/saitama_translator).
  • Sample artifacts include a Saitama sample hash (e0872958b8d3824089e5e1cfab03d9d98d22b9bcb294463818d721380075a52d).
  • Several DNS query domains are used in the examples (e.g., joexpediagroup.com and uber-asia.com) to reach the C2 server.

MITRE Techniques

  • [T1071.004] DNS—Domain Name System Tunneling – The malware encodes commands in the IPv4 addresses returned by DNS responses to issue instructions like ‘whoami’. Quote: “…the orders are encapsulated in the IPV4 addresses themselves. For example, to issue the command ‘whoami’, the server will answer two IP addresses: 70.119.104.111 and 97.109.105.49.”…
  • [T1566.001] Phishing: Spearphishing Attachment – The campaign used a phishing email targeting a Jordanian government official (foreign ministry) to deploy the backdoor. Quote: “phishing e-mail targeted to a government official from Jordan’s foreign ministry on an attack attributed to the Iranian group APT34.”…

Indicators of Compromise

  • [IPv4 Address] DNS command encoding – 70.119.104.111, 97.109.105.49
  • [Domain] Attacker-controlled DNS domains for C2 – vy5xxxxvzz650coacbsf03f2jkviwui9.joexpediagroup.com, oxn009lc7n5887k96c4zfckes6uif.joexpediagroup.com
  • [Domain] Additional C2 domains referenced in examples – pqxwwk9cyl1upnxwyqwinn0wgzui5.uber-asia.com, w7irwrisb5lxwkow81udr.uber-asia.com
  • [SHA-256] Malware sample hash – e0872958b8d3824089e5e1cfab03d9d98d22b9bcb294463818d721380075a52d

Read more: https://isc.sans.edu/forums/diary/Translating+Saitamas+DNS+tunneling+messages/28738/ https://morphuslabs.com/translating-saitamas-dns-tunneling-messages-877e3a3ed1d6

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint