Infoblox researchers describe Muddling Meerkat, a likely PRC state-backed operation that conducts long-running DNS activities by leveraging open resolvers and China’s Great Firewall to insert deceptive DNS responses. The study highlights false MX responses from Chinese IPs, the use of “super-aged” domains, and intermittent, low-volume campaigns, with practical guidance to mitigate open resolvers and DNS surveillance risks. #MuddlingMeerkat #GreatFirewall #DNS #MXRecords #OpenResolvers #PRC
Keypoints
- Muddling Meerkat is attributed to a Chinese state actor and operates in a multi-year DNS-centric campaign intertwining the Great Firewall and Slow Drip-like patterns.
- The operation relies on DNS queries for random subdomains and MX records sent to a broad set of destinations, including open resolvers.
- The Great Firewall injects false DNS answers, including false MX records from Chinese IP space, a behavior not previously documented.
- The actor uses “super-aged” domains (often registered before 2000) to avoid blocklists and blend with old malware.
- Evidence includes thousands of MX resolutions and about 8,000+ unique FQDNs, with first MX resolutions around October 15, 2019 and a notable rise in late 2023–early 2024.
- Defensive recommendations emphasize eliminating open resolvers, not using unowned domains for AD/DNS search, and incorporating DNS detection/response (DNSDR) plus community reporting.
<liCampaigns run in bursts of 1–3 days and appear fairly continuous, with low volumes compared to historic large-scale DNS DDoS activity.
MITRE Techniques
- [T1071.004] DNS – Application Layer Protocol: DNS – The operation uses DNS queries for random subdomains and MX records to many destinations, including open resolvers. ‘Use servers in Chinese IP space to conduct campaigns by making DNS queries for random subdomains to a wide array of IP addresses, including open resolvers’
- [T1583] Acquire Infrastructure – The actor leverages Chinese IP space and open resolvers as infrastructure for the DNS operation. ‘Use servers in Chinese IP space to conduct campaigns…’
- [T1036] Masquerading – The attacker favors long-lived, pre-existing domains to blend in with legitimate traffic and past malware. ‘Choose domains for abuse based on their length and age rather than their current status and ownership; while many of the domains are abandoned or have been repurposed…’
Indicators of Compromise
- [Domain] context – 4u.com, kb.com, and 19 more domains (domains offered as non-critical or blocked/example domains)
- [IP Address] context – 183.136.225.45, 183.136.225.14
- [DNS-Record/Hostname] context – kb.com (MX-related activity with random hostnames under kb.com)
- [Possible GFW-related forged responses] context – 156.233.67.243, 111.193.204.201, 111.193.204.204, 208.101.21.43