A new cluster of activity tracked as “Muddling Meerkat” is believed to be linked to a Chinese state-sponsored threat actor’s manipulation of DNS to probe networks globally since October 2019, with a spike in activity observed in September 2023.
A notable aspect of Muddling Meerkat’s activity is the manipulation of MX (Mail Exchange) records by injecting fake responses through China’s Great Firewall (GFW), an unusual and previously unseen behavior for the country’s internet censorship system.
Discovered by Infoblox, the activity does not have a clear goal or motivation but demonstrates sophistication and advanced capabilities to manipulate global DNS systems.
Muddling Meerkat operations
By looking into massive volumes of DNS data, Infoblox researchers discovered an activity they say could easily fly under the radar or be mistaken for innocuous.
DNS is an essential functional component of the internet, translating human-readable domain names into IP addresses that computers use to identify each other on the network and establish connections.
Muddling Meerkat manipulates DNS queries and responses by targeting the mechanism by which resolvers return the IP addresses.
For instance, they can provoke false MX record responses from the GFW to fiddle with the routing and potentially misdirect emails.
The Great Firewall’s function is typically to filter and block content by intercepting DNS queries and providing invalid responses, redirecting users away from certain sites. Muddling Meerkat’s activities cause it to issue fake responses that serve objectives such as testing the resilience and behavior of other networks.
“The GFW can be described as an “operator on the side,” meaning that it does not alter DNS responses directly but injects its own answers, entering into a race condition with any response from the original intended destination. When the GFW response is received by the requester first, it can poison their DNS cache. In addition to the GFW, China operates a system referred to as the Great Cannon (GC). The GC is an“operator in the middle,” allowing it to modify packets en route to their destination.”
❖ InfoBlox
To further obfuscate their activities, Muddling Meerkat makes DNS requests for random subdomains of their target domains, which often don’t exist.
Though this resembles an attack named “Slow Drip DDoS,” Infoblox notes that in Muddling Meerkat’s case, the queries are small in scale and aimed at testing rather than disruption.
The threat actor also exploits open resolvers to obfuscate their activity and engages with both authoritative and recursive resolvers.
Infoblox reports that Muddling Meerkat chooses target domains with short names registered before 2000, making them less likely to be on DNS blocklists.
As for the purpose of the activity, Muddling Meerkat might be mapping networks and evaluating their DNS security to plan future attacks, or their goal could be to create DNS “noise,” which can help hide more malicious activities and confuse admins who attempt to pinpoint the source of anomalous DNS requests.
The Infoblox report provides a complete list of Muddling Meerkat indicators of compromise (IoCs) and techniques, tactics, and procedures (TTPs), including lists of domains that can be blocked without significant impact due to hosting no website, hosting illegal content, or being parked.