For the past five years, a threat actor that’s likely connected to the Chinese government has been sending out unusual DNS queries to IP addresses over the internet to map open DNS resolvers inside networks and potentially gather other information in preparation for future attacks.
Researchers from security firm Infoblox detected the unusual DNS request patterns occurring intermittently going back as far as 2019 and attributed them to a group they’ve now dubbed Muddling Meerkat. Because the requests are triggering a very specific and seemingly planned behavior from the so-called Great Firewall (GFW) of China, a combination of government-run internet censorship technologies, Infoblox suspects Muddling Meerkat has some links to the GFW operators.
“The choice of Muddling Meerkat target domains demonstrates sophistication in DNS,” the Infoblox researchers said in a research paper released Monday. “Muddling Meerkat operators induce selective responses from the GFW that do not occur in normal GFW censorship. To do so, they have chosen target domains they do not control, which security appliances are very unlikely to block. Moreover, they use query types that are not commonly monitored and create a volume of queries that blends with normal DNS traffic.”
Mail exchange queries for non-existing subdomains
While the researchers have found Muddling Meerkat queries for various DNS record types, mail exchange (MX) ones stand out amongst the most common and unusual. A domain’s MX records consist of hostnames for the servers that handle email for that specific domain.
Muddling Meerkat sends MX queries for a select number of domains they don’t own, as well as for randomly generated and non-existent subdomains of those primary domains. The targeted domains are not owned by the attackers and were intentionally chosen to be very old — some registered over 20 years ago — and be very short, their name being composed of only two to four letters.
The exact reasons why the attackers chose these target domains is unclear but the researchers advance some possibilities: The old age of the domains makes them unlikely to be in any regularly maintained DNS blocklists and their short names makes it likely that they could be used for Active Directory inside networks.
Even though it’s bad practice and insecure to use a fully qualified domain you don’t own as the internal Active Directory domain, some organizations have historically done so for convenience. Let’s say for example, an organization doesn’t own the domain name that’s the acronym of its full name followed by .com or .org because that domain was registered decades ago in the early days of the internet. However, it chooses to use it internally on its Windows network because it’s easy to remember and type and it’s not intended to be accessed externally.
However, networks are complex and their topology changes over time, so at some point some internal application or a computer taken outside the network could start making queries for that domain on the open internet, exposing information about the network. The organization could also accidentally expose an internal DNS resolver — a server that’s meant to resolve DNS for local clients — to the internet or will open a port in its router or firewall to direct DNS request to an internal resolver. This then becomes an “open resolver” on the internet and open resolvers are resources that attackers can abuse to launch DDoS attacks through techniques such as DNS reflection and amplification.
Normally MX record queries for a domain would be forwarded by a DNS resolver to the authoritative DNS server for that domain. If the domain doesn’t have an MX record, the response will be an NXDOMAIN (non-existent domain) error. Such should be the case for most of the queries sent by Muddling Meerkat because they are querying IP addresses on the internet for MX records for non-existing subdomains, probably with the intention of identifying open resolvers inside networks that would accept their requests.
Great Firewall of China DNS injection
What the Infoblox researchers observed is that the IP addresses making the queries were primarily Chinese and didn’t seem spoofed, making it more likely the group was using dedicated servers to perform the probing. Also, some of the chosen target domains had their authoritative name servers also hosted in China.
This means that the GFW was in the routing path for these requests and could therefore inject responses. Normally, GFW is known for injecting bogus DNS responses for domains and websites the government doesn’t want users to access and those responses will direct requests to a series of IP addresses probably controlled by the government.
Infoblox noticed similar GFW behavior for the MX queries initiated by Muddling Meerkat, where instead of NXDOMAIN errors, the responses included Chinese IP addresses that didn’t actually have port 53 open, so they weren’t DNS servers either. This was baffling because it is the first time when GFW spoofs MX responses and it appears to do so for non-existent and randomly generated subdomains that have no censorship value because many of the main targeted domains themselves are inactive and don’t serve any content.
Moreover, the researchers didn’t manage to get GFW to perform these unusual response injections when they tried to replicate the requests themselves. So, they concluded that either the injection rules are in place only when Muddling Meerkat runs its probing activities, or there are certain identifying elements in the Muddling Meerkat requests that they can’t replicate and which GFW looks for.
“In order to induce selective responses like those we have observed over four years, it seems that Muddling Meerkat must somehow be connected to the GFW operators,” Renée Burton, the vice president of Threat Intelligence at Infoblox, said in the paper. “While I also don’t know how these selective responses are triggered, it is possible that signatures contained in the IP packets, like those observed in ExploderBot traffic, are used to signal a different response from the GFW.”
Similarities to Slow Drip DDoS attacks
When they initially discovered the Muddling Meerkat DNS probes, the researchers thought they were part of a type of DNS distributed denial-of-service (DDoS) attack known as Slow Drip that was associated many years ago with a botnet called ExploderBot.
Also known as random-prefix DDoS attacks, Slow Drip attacks also abuse open DNS resolvers to route DNS requests for non-existing subdomains. However, the goal is to overwhelm the authoritative DNS servers of the targeted domain with bogus requests so they can’t respond to legitimate requests anymore. That doesn’t seem to be the case with Muddling Meerkat, which doesn’t match the volume of requests needed to cause disruption nor does it use the source and destination address spoofing that is typical of Slow Drip attacks.
“Queries for random hostnames of a target domain typify a Slow Drip DDoS attack; however, Muddling Meerkat queries differ from those in ExploderBot or other Slow Drip attacks,” Burton said. “The host names are short. Additionally, while some Slow Drip attacks do include a range of query types, the most common type is still an A record for an IPv4 address. I have not previously seen the type of MX record activity that characterizes Muddling Meerkat.”
While the motivation of Muddling Meerkat remains unclear and can only be speculated on, this unusual and persistent probing activity over the span of multiple years should be a reminder to organizations to identify and remove all open DNS resolvers from their networks and to stop using fully qualified domain names they don’t own for DNS Search and Active Directory purposes.