A previously undocumented cyber threat dubbed Muddling Meerkat has been observed undertaking sophisticated domain name system (DNS) activities in a likely effort to evade security measures and conduct reconnaissance of networks across the world since October 2019.
Cloud security firm Infoblox described the threat actor as likely affiliated with the People’s Republic of China (PRC) with the ability to control the Great Firewall (GFW), which censors access to foreign websites and manipulates internet traffic to and from the country.
The moniker is reference to the “bewildering” nature of their operations and the actor’s abuse of DNS open resolvers – which are DNS servers that accept recursive queries from all IP addresses – to send the queries from the Chinese IP space.
“Muddling Meerkat demonstrates a sophisticated understanding of DNS that is uncommon among threat actors today – clearly pointing out that DNS is a powerful weapon leveraged by adversaries,” the company said in a report shared with The Hacker News.
More specifically, it entails triggering DNS queries for mail exchange (MX) and other record types to domains not owned by the actor but which reside under well-known top-level domains such as .com and .org.
Infoblox, which discovered the threat actor from anomalous DNS MX record requests that were sent to its recursive resolvers by customer devices, said it detected over 20 such domains –
4u[.]com, kb[.]com, oao[.]com, od[.]com, boxi[.]com, zc[.]com, s8[.]com, f4[.]com, b6[.]com, p3z[.]com, ob[.]com, eg[.]com, kok[.]com, gogo[.]com, aoa[.]com, gogo[.]com, zbo6[.]com, id[.]com, mv[.]com, nef[.]com, ntl[.]com, tv[.]com, 7ee[.]com, gb[.]com, tunk[.]org, q29[.]org, ni[.]com, tt[.]com, pr[.]com, dec[.]com
“Muddling Meerkat elicits a special kind of fake DNS MX record from the Great Firewall which has never been seen before,” Dr. Renée Burton, vice president of threat intelligence for Infoblox, told The Hacker News. “For this to happen, Muddling Meerkat must have a relationship with the GFW operators.”
“The target domains are the domain used in the queries, so it is not necessarily the target of an attack. It is the domain used to carry out the probe attack. These domains are not owned by Muddling Meerkat.”
It’s known that the GFW relies on what’s called DNS spoofing and tampering to inject fake DNS responses containing random real IP addresses when a request matches a banned keyword or a blocked domain.
In other words, when a user attempts to search for a blocked keyword or phrase, the GFW blocks or redirects the website query in a manner that will prevent the user from accessing the requested information. This can be achieved via DNS cache poisoning or IP address blocking.
This also means that if the GFW detects a query to a blocked website, the sophisticated tool injects a bogus DNS reply with an invalid IP address, or an IP address to a different domain, effectively corrupting the cache of recursive DNS servers located within its borders.
“The most remarkable feature of Muddling Meerkat is the presence of false MX record responses from Chinese IP addresses,” Burton said. “This behavior […] differs from the standard behavior of the GFW.”
“These resolutions are sourced from Chinese IP addresses that do not host DNS services and contain false answers, consistent with the GFW. However, unlike the known behavior of the GFW, Muddling Meerkat MX responses include not IPv4 addresses but properly formatted MX resource records instead.”
The exact motivation behind the multi-year activity is unclear, although it raised the possibility that it may be undertaken as part of an internet mapping effort or research of some kind.
“Muddling Meerkat is a Chinese nation-state actor performing deliberate and highly skilled DNS operations against global networks on an almost daily basis – and the full scope of their operation can not be seen in any one location,” Burton said.
“Malware is easier than DNS in this sense – once you locate the malware, it is straightforward to understand it. Here, we know something is happening, but don’t understand it fully. CISA, the FBI, and other agencies continue to warn of Chinese prepositioning operations that are undetected. We should be worried about anything we can’t fully see or understand.”