The threat group’s use of advanced distraction and obfuscation techniques could be a precursor of future, larger-scale global DNS attacks

Cybersecurity researchers have recently uncovered a particularly sophisticated DNS threat actor with a strong ability to bypass traditional security measures.

The threat group conducts operations by creating large volumes of widely distributed DNS queries that are subsequently propagated through the internet through open DNS resolvers. Records indicate they have been operating covertly since at least October 2019, launching operations that look like Slow Drip distributed DDoS attacks.

However, researchers surmise it is unlikely DDoS is the group’s ultimate goal, and that they may be performing reconnaissance or prepositioning in preparation for future attacks. Evidence has so far pointed to the threat group’s links with China due to their ability to control the Great Firewall (GFW). The research further shows that their operations:

    • Induce responses from GFW, including false MX records from the Chinese IP address space. This highlights a novel use of national infrastructure as a fundamental part of their strategy.
    • Trigger DNS queries for MX and other record types to domains not owned by the actor but which reside under well-known top-level domains such as .com and .org. This tactic highlights the use of distraction and obfuscation techniques to hide the real intended purpose.
    • Utilize super-aged domains, typically registered prior to the year 2000, enabling the actor to blend in with other DNS traffic and avoid detection. This further highlights the threat actor’s sophisticated understanding of DNS and existing security controls that is uncommon among threat actors today.

According to Dr Renée Burton, Vice President, Infoblox Threat Intel, part of the group of researchers that discovered the DNS threat actor they have arbitrarily dubbed “Muddling Meerkat” (which implies a cute-looking but actually dangerous group): “Our unrelenting focus on DNS… has enabled our global team of threat hunters to be the first to discover Muddling Meerkat lurking in the shadows and produce critical threat intelligence for our customers. This actor’s complex operations demonstrates a strong understanding of DNS, stressing the importance of having a DNS detection and response strategy in place to stop (such) sophisticated threats.”