Muddling Meerkat Using DNS As A Powerful Weapon


Hackers exploit DNS vulnerabilities to redirect users to malicious websites, launch distributed denial-of-service (DDoS) attacks by overwhelming DNS servers, and manipulate domain resolutions to intercept traffic for surveillance or data theft purposes.

Infoblox researchers recently revealed “Muddling Meerkat,” a highly sophisticated likely Chinese state actor able to manipulate China’s Great Firewall internet censorship system. 

This DNS-based threat bypasses security by generating massive distributed DNS query volumes propagated through open resolvers worldwide.

Document

Integrate ANY.RUN in Your Company for Effective Malware Analysis

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

  • Real-time Detection
  • Interactive Malware Analysis
  • Easy to Learn by New Security Team members
  • Get detailed reports with maximum data
  • Set Up Virtual Machine in Linux & all Windows OS Versions
  • Interact with Malware Safely

If you want to test all these features now with completely free access to the sandbox:


Muddling Meerkat & Chinese Firewall

Leveraging its DNS expertise, Infoblox proactively discovered and blocked the actor’s domains to protect customers from this emerging cyber threat operating under China’s control of its national internet infrastructure.

Muddling Meerkat Using DNS As A Powerful Weapon
Operation Overview

Infoblox Threat Intel’s Dr. Renee Burton explained, “It was our unwavering focus on DNS data coupled with advanced data science and AI that enabled us to track down a Chinese-controlled DNS operator which we believe is behind the so-called ‘Muddling Meerkat’ campaign.” 

The nickname denotes the campaign’s mysterious nature and its elaborate use of open resolvers and MX records to hide its tactics. 

This discovery underscores for Infoblox customers the need for strong detection and response capabilities against such advanced threats based on DNS. 

Not only that, but this actor’s activity also shows a deep understanding of domain name system (DNS) operations, which illustrates the importance of securing them.

Muddling Meerkat has been active since 2019 and shows a very high-level attack on the DNS system. 

The Meerkat’s true intentions are currently unknown, but they seem to be related to reconnaissance. Initially, it was believed to be another type of slow-drip DDoS attack. 

82% of this year’s threats were stopped by patented technology and Zero Day DNS capabilities before they could even make their first query, which amounts to a total of 46 million indicators identified in 2023 at a rate equal to .0002 percent false positives per one million queries.

Here below, we have mentioned all the sophisticated things that threat actors do in their operations:-

  • To provoke reactions from the Great Firewall, they can use non-MX records within Chinese IP ranges that will be false to show how their strategy involves using national infrastructure in new ways.
  • It can also be done by sending DNS queries for MX records as well as other types of domain name system resource record sets, such as those under common top-level domains like “.com” and “.org,” which are not owned or controlled by the threat actors. This helps hide the true intentions.
  • Another method is employing old domains created before 2000 to pass off as regular traffic on the domain name service while bypassing detection mechanisms, which only look for recently registered ones, indicating a deeper understanding of how DNS works.

Muddling Meerkat appears to be a Chinese state actor, because we can observe MX record responses from Chinese IP addresses that are not open on port 53 of Muddling Meerkat target domains over multiple years, I am confident those responses are results of the GFW,” researchers said.

Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security Awareness Training -> Try Free Demo 



Source link