Threat Research

Lyceum .NET DNS Backdoor

Securonix

Lyceum Group, an Iranian state-sponsored APT, deployed a new .NET DNS backdoor (DnsSystem) in campaigns targeting the Middle East, delivered via a macro-enabled Word document and attacker-controlled DNS. The backdoor communicates over DNS (TXT and A records) to receive commands, perform file uploads/downloads, and exfiltrate data, leveraging DNS hijacking for C2. Hashtags: #LyceumGroup #DnsSystem #DNSBackdoor #DIGnet #ThreatLabz #CyberclubOne #NewsSpotLive

Keypoints

  • The Lyceum Group is a state-sponsored Iranian APT known for targeting Middle Eastern energy and telecom sectors with .NET-based malware.
  • A new .NET DNS backdoor, DnsSystem, is a customized variant of the open-source DIG.net tool used for DNS-based C2.
  • Delivery relies on a macro-enabled Word document hosted on news-spot.live, with AutoOpen/AutoClose functions enabling persistence and payload deployment.
  • The backdoor uses attacker-controlled DNS (DNS hijacking) to fetch TXT records that carry commands and a communication ID for C2.
  • BotID is generated from the Windows username, binding the payload to the infected host and guiding command reception via DNS TXT records.
  • DNS-based C2 supports commands (e.g., ipconfig, whoami) and data exfiltration via DNS A records, including a base64-encoded output pattern and end marker.
  • Threat actors persist via startup folder deployment and leverage anti-analysis tricks; cloud sandbox detections have been observed during analysis.

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – The macro-enabled Word document triggers AutoOpen() to reveal content and later executes commands via a command execution routine: ‘Once the user enables the macro content, the following AutoOpen() function is executed’ and ‘cmd.exe /c ‘
  • [T1055] Process Injection – The backdoor code writes a PE file (DnsSystem.exe) into the Startup folder to maintain persistence and execute via the macro chain: ‘The PE file is then further written into the Startup folder in order to maintain persistence via the macro code’
  • [T1562] Disable or Modify Tools – Attackers use anti-analysis tricks and re-packaging to evade security solutions and complicate static analysis: ‘Attackers continuously embrace new anti-analysis tricks to evade security solutions; re-packaging of malware makes static analysis even more challenging.’
  • [T1010] Application Window Discovery – The campaign generates a BotID based on the Windows username, revealing local system information used for targeting: ‘Next, the Form Load function generates a unique BotID depending on the current Windows username.’
  • [T1018] Remote System Discovery – The DNS-based C2 flow leverages an attacker-controlled DNS server and uses DNS queries to fetch control data: ‘Initialize Attacker-Controlled DNS Server’ and ‘The BeginDigIt function then executes the main DNS resolver function DigIt.’
  • [T1057] Process Discovery – The BotID and command-processing flow reflect discovery of local system context to tailor commands: ‘Generates a unique BotID depending on the current Windows username’ and subsequent TXT-record command parsing.
  • [T1518] Security Software Discovery – Cloud sandbox/defensive tooling interactions are noted as detection occurs during analysis: ‘The Zscaler Cloud Sandbox successfully detected the malware.’
  • [T1071] Application Layer Protocol – DNS is used as the C2 channel: ‘The DNS protocol for command and control (C2) communication which increases stealth’ and ‘the backdoor communicates via DNS TXT/A records.’”

Indicators of Compromise

  • [Hash] Exe Hash – 8199f14502e80581000bd5b3bda250ee
  • [Hash] Docm Hash – 13814a190f61b36aff24d6aa1de56fe2
  • [File Name] DnsSystem.exe – Dropped backdoor binary
  • [Domain] cyberclub.one – Attacker-controlled DNS server domain
  • [URL] hxxp://news-spot.live/Reports/1/?id=1111&pid=a52 – Landing page hosting the macro document
  • [URL] hxxp://news-spot.live/Reports/1/?id=1111&pid=a28
  • [URL] hxxp://news-spot.live/Reports/1/?id=1111&pid=a40
  • [URL] hxxp://news-spot.live/Reports/1/45/DnsSystem.exe – Direct download path for DnsSystem
  • [IP] 85.206.175.199 – Attacker-controlled DNS server IP used for TXT record responses

Read more: https://www.zscaler.com/blogs/security-research/lyceum-net-dns-backdoor