How the GreenBug Group Exploits DNS Tunneling with Ismdoor Malware
- Actor Motivations: Espionage,Exfiltration
- Attack Vectors: Downloader,Malware,Spyware
- Attack Complexity: Medium
- Threat Risk: High Impact/High Probability
Threat Overview
The Ismdoor malware, linked with the GreenBug group, continues its cyberattacks using DNS tunneling to evade detection, communicate with command and control servers, and exfiltrate data. Black Lotus Labs detected recent spikes in such activities related to the domain basnevs[.]com, associated with Ismdoor. The malware uses encoded subdomains for data exfiltration and receives hex-encoded messages from the C2. An increase in tunneling activity suggests that too many organizations still allow unmonitored DNS traffic, which amplifies the risk of successful DNS tunneling attacks. The report doesn't explicitly mention specific targeted countries or sectors.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Region | Afghanistan | Verified |
| Region | Bahrain | Verified |
| Region | France | Verified |
| Region | Germany | Verified |
| Region | Iran | Verified |
| Region | Iraq | Verified |
| Region | Pakistan | Verified |
| Region | Russia | Verified |
| Region | United States | Verified |
Extracted IOCs
- basnevs[.]com
- gaaranews[.]com
- ilmkidnuya[.]com
- 185[.]141.63.249
- 91[.]134.231.179
Tip: 5 related IOCs (2 IP, 3 domain, 0 URL, 0 email, 0 file hash) to this threat have been found.
Overlaps
Source: DomainTools - December 2019
Detection (two cases): basnevs[.]com, gaaranews[.]com
Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.
FAQs
Understanding the Ismdoor Data Theft Campaign
Cyber attackers are using a deceptive method to secretly communicate with infected computers and steal data. By hiding their messages inside the standard directory requests that computers use to find websites, they are able to bypass normal security checkpoints completely unnoticed.
The attacks are powered by an information-stealing program known as Ismdoor, or Nutshell. Security researchers link this tool to a threat group known as GreenBug, which has historical connections to other high-profile, state-sponsored cyber espionage campaigns.
The primary goal of this campaign is information theft. The attackers use complex coding to sneak stolen data out of a network piece by piece, disguising the theft as everyday background internet traffic.
The attackers registered fake web addresses designed to look like a Kurdish news website and a Pakistani educational platform. This suggests they were attempting to trick or target individuals who regularly seek out regional news or student resources.
The attacks have reached devices globally, but the impact is heavily concentrated in specific regions. Devices in Pakistan and Afghanistan made up more than half of the targeted connections, followed by targets in the United States and Iraq.
Once a device is infected, it reaches out to the attacker's server by asking seemingly harmless questions about where a website is located. The attacker's server then responds with coded instructions hidden inside the technical internet address, allowing them to control the computer remotely and extract data.
This method of attack is highly attractive because most organizations do not closely monitor their basic web directory traffic. The massive, everyday volume of these standard internet requests provides perfect cover for attackers to hide their activities.
Organizations need to stop treating background internet traffic as a blind spot and start monitoring it for unusual behavior. Security teams should look for abnormal spikes in traffic to unknown websites or strange, long strings of text hidden in website requests.
The specific victims in this campaign appear to be targeted based on regional interests, but the loophole the attackers are exploiting is a widespread issue. Because so many networks fail to monitor this specific type of internet traffic, it remains a global security vulnerability.