A previously undocumented cyber threat dubbed Muddling Meerkat has been observed undertaking sophisticated domain name system (DNS) activities in a likely effort to evade security measures and conduct reconnaissance of networks across the world since October 2019.
Cloud security firm Infoblox described the threat actor as likely affiliated with the People’s Republic of China (PRC) with the ability to control the Great Firewall (GFW), which censors access to foreign websites and manipulates internet traffic to and from the country.
The moniker is reference to the “bewildering” nature of their operations and the actor’s abuse of DNS open resolvers – which are DNS servers that accept recursive queries from all IP addresses – to send the queries from the Chinese IP space.
“Muddling Meerkat demonstrates a sophisticated understanding of DNS that is uncommon among threat actors today – clearly pointing out that DNS is a powerful weapon leveraged by adversaries,” the company said in a report shared with The Hacker News.
More specifically, it entails triggering DNS queries for mail exchange (MX) and other record types to domains not owned by the actor but which reside under well-known top-level domains such as .com and .org.
Infoblox said it detected over 20 such domains –
4u[.]com, kb[.]com, oao[.]com, od[.]com, boxi[.]com, zc[.]com, s8[.]com, f4[.]com, b6[.]com, p3z[.]com, ob[.]com, eg[.]com, kok[.]com, gogo[.]com, aoa[.]com, gogo[.]com, zbo6[.]com, id[.]com, mv[.]com, nef[.]com, ntl[.]com, tv[.]com, 7ee[.]com, gb[.]com, tunk[.]org, q29[.]org, ni[.]com, tt[.]com, pr[.]com, dec[.]com
Many of these websites are super-aged domains registered prior to 2000, thus allowing the adversary to blend in with other DNS traffic and fly under the radar by evading DNS blocklists.
Also observed are efforts to use servers in the Chinese IP address space to make DNS queries for random subdomains to IP addresses around the world as part of
It’s known that the GFW relies on what’s called DNS spoofing and tampering to inject fake DNS responses containing random real IP addresses when a request matches a banned keyword or a blocked domain.
In other words, when a user attempts to search for a blocked keyword or phrase, the GFW blocks or redirects the website query in a manner that will prevent the user from accessing the requested information. This can be achieved via DNS cache poisoning or IP address blocking.
This also means that if the GFW detects a query to a blocked website, the sophisticated tool injects a bogus DNS reply with an invalid IP address, or an IP address to a different domain, effectively corrupting the cache of recursive DNS servers located within its borders.
“The most remarkable feature of Muddling Meerkat is the presence of false MX record responses from Chinese IP addresses,” Dr. Renée Burton, vice president of threat intelligence for Infoblox, said. “This behavior […] differs from the standard behavior of the GFW.”
“These resolutions are sourced from Chinese IP addresses that do not host DNS services and contain false answers, consistent with the GFW. However, unlike the known behavior of the GFW, Muddling Meerkat MX responses include not IPv4 addresses but properly formatted MX resource records instead.”
The exact motivation behind the multi-year activity is unclear, although it raised the possibility that it may be undertaken as part of an internet mapping effort or research of some kind.