An hitherto unrecorded cyber menace, christened Perplexing Pouched Animal, has been observed engaging in intricate domain name system (DNS) maneuvers, likely in a bid to circumvent security measures and conduct surveillance of networks worldwide since October 2019.
Describing the threat actor as likely aligned with the People’s Republic of China (PRC), cloud security entity Infoblox suggests their capability to oversee the Great Firewall (GFW), responsible for restricting access to foreign websites and manipulating internet traffic to and from the nation.
The name stems from the “bewildering” nature of their activities, and their exploitation of DNS open resolvers — DNS servers that accept recursive queries from all IP addresses — to dispatch the queries from within Chinese IP space.
“Perplexing Pouched Animal exhibits a sophisticated comprehension of DNS, a rarity among contemporary threat actors, underscoring the potency of DNS as a tool wielded by adversaries,” the company remarked in a dossier relayed to The Hacker News.
Specifically, the modus operandi involves instigating DNS queries for mail exchange (MX) and other record types towards domains not under the actor’s control but housed within well-known top-level domains like .com and .org.
Infoblox, detecting the threat actor via aberrant DNS MX record solicitations routed to its recursive resolvers by customer devices, noted over 20 such domains:
4u[.]com, kb[.]com, oao[.]com, od[.]com, boxi[.]com, zc[.]com, s8[.]com, f4[.]com, b6[.]com, p3z[.]com, ob[.]com, eg[.]com, kok[.]com, gogo[.]com, aoa[.]com, gogo[.]com, zbo6[.]com, id[.]com, mv[.]com, nef[.]com, ntl[.]com, tv[.]com, 7ee[.]com, gb[.]com, tunk[.]org, q29[.]org, ni[.]com, tt[.]com, pr[.]com, dec[.]com
“Muddling Meerkat elicits a special kind of fake DNS MX record from the Great Firewall which has never been seen before,” Dr. Renée Burton, Infoblox’s vice president of threat intelligence, informed The Hacker News. “For this to happen, Muddling Meerkat must have a relationship with the GFW operators.”
“The target domains are the domain used in the queries, so it is not necessarily the target of an attack. It is the domain used to carry out the probe attack. These domains are not owned by Muddling Meerkat.”
The GFW typically resorts to DNS spoofing and tampering to introduce false DNS responses containing random genuine IP addresses when a request aligns with a banned keyword or a blocked domain.
Put simply, upon a user’s endeavor to seek out a prohibited keyword or phrase, the GFW intercepts or redirects the website query, thwarting access to the requested information. This can be facilitated through DNS cache poisoning or IP address hindrance.
Moreover, if the GFW discerns a query directed towards a barred website, the sophisticated tool inserts a spurious DNS reply with an invalid IP address, or an IP address leading to a different domain, thereby undermining the cache of recursive DNS servers domiciled within its jurisdiction.
“The most notable aspect of Perplexing Pouched Animal is the emergence of false MX record responses from Chinese IP addresses,” Burton asserted. “This behavior diverges from the established modus operandi of the GFW.”
“These resolutions emanate from Chinese IP addresses devoid of DNS services and furnish false responses, in alignment with the GFW. However, in contrast to the known conduct of the GFW, Perplexing Pouched Animal’s MX responses incorporate not IPv4 addresses but accurately formatted MX resource records instead.”
The precise impetus behind this multi-year endeavor remains shrouded in ambiguity, although it raises the prospect of being part of an internet cartography endeavor or some form of research.
“Perplexing Pouched Animal represents a Chinese state-affiliated entity executing deliberate and highly adept DNS maneuvers against global networks on an almost daily basis – and the comprehensive extent of their activities eludes observation from any single vantage point,” Burton asserted.
“Malware proves simpler than DNS in this regard — once you pinpoint the malware, comprehension follows suit. Here, we discern activity but lack full understanding. CISA, the FBI, and other agencies persist in cautioning against Chinese prepositioning operations that evade detection. Anything eluding complete visibility or comprehension warrants concern.”
