China-Linked 'Muddling Meerkat' Conducts DNS Hijacking for Internet Mapping

[immartian]

"A previously undocumented cyber threat called Muddling Meerkat has been conducting sophisticated domain name system (DNS) activities since October 2019. The threat actor, likely affiliated with the People's Republic of China, has the ability to control the Great Firewall and uses DNS open resolvers to send queries from Chinese IP space. The actor triggers DNS queries for mail exchange and other record types to domains not owned by them but under well-known top-level domains. Cloud security firm Infoblox detected over 20 such domains. The threat actor elicits a special kind of fake DNS MX record from the Great Firewall, indicating a relationship with the GFW operators. The exact motivation behind the activity is unclear, but it may be part of an internet mapping effort or research. The presence of false MX record responses from Chinese IP addresses is a remarkable feature of Muddling Meerkat. The full scope of the operation cannot be seen in any one location, raising concerns about undetected Chinese prepositioning operations. The article was published on April 29, 2024, by The Hacker News."

https://here.news/story/696bc9ee?ver=0.44

[UjuiUjuMandan]

1. By what query can I observe these injected MX records?
2. What is their purpose?

[0x391F]

https://here.news/story/696bc9ee?ver=0.44

You should remove ?ver=0.44 in the link so that visitor could get latestest verison article. @immartian

[wkrp]

Renée Burton of Infoblox has a technical blog post and report.

• A Cunning Operator: Muddling Meerkat and China's Great Firewall (summary blog post)
• Muddling Meerkat: The Great Firewall Manipulator (report, 23 pages)
  • PDF

I have read the report. There are still some aspects that are unclear to me. The authors also say that the operation is mysterious and hard to explain. "The motivation for these operations is unclear." Here are the main points, according to my understanding:

• The researchers observed three kinds of unusual DNS query:
  • MX queries for certain target domains. Real examples of observed target domains are kb.com, 4u.com, id.com, od.com, ntl.com, nef.com, and boxi.com.
  • MX queries for short, random subdomains of target domains, for example: v7f3.kb.com, sfa8.kb.com, 13fe.kb.com, d9uz.kb.com, prtj.kb.com.
  • A queries for short, random subdomains of target domains.
• A large fraction of such queries are sent from IP addresses in China, notably addresses 183.136.225.14 and 183.136.225.45.
• However, there are also queries that are sent from non-Chinese IP addresses, frequently open resolvers that may simply be forwarding queries that actually originated elsewhere.
  • Open resolvers are how the researchers initially detected Muddling Meerkat: the researchers' customers were unwittingly running open DNS resolvers, which received queries and forwarded them to the researchers' instrumented resolvers.
• In some cases, the strange DNS queries got a DNS response.
  • This only happened when the responding IP address was in China.
  • The responding IP addresses in China are not actually DNS resolvers—the responses were actually injected by the GFW (or a similar system on or near the network border of China).
  • The GFW is well-known to inject false DNS responses, but these responses are different:
    • The target domains are not ones that are normally blocked by GFW DNS injection. For example, kb.com is not an ordinarily censored domain.
    • Normally when you send a query for a blocked hostname through the GFW, you get a type A response, even if the query type was not type A (for example MX). But in this case, MX queries got well-formed MX responses. MX responses contain hostnames, not IP addresses. The hostnames in MX responses are short, random subdomains of the target domain, for example pq5bo.kb.com, uff0h.kb.com, biuti.kb.com, 8jxg1x.kb.com, 8p0.kb.com.
    • Type A queries get type A responses, but the IP addresses in the type A responses are different from the ones normally used for DNS censorship. Figures 10 and 11 show multiple subdomains of kb.com resolving to the IP addresses 156.233.67.243 and 208.101.21.43 on different days.
    • The researchers were unable to reproduce response injection for Muddling Meerkat target domains on their own. The injection may be limited to specific time intervals, or may depend on unknown side-channel features of queries.
• The unusual response injection shows that whoever is responsible for the mysterious MX and A queries is working closely with GFW operators.

Some quotes:

Muddling Meerkat operations are complex and demonstrate that the actor has a strong understanding of DNS, as well as internet savvy. To simplify this exposition, I cover only those components of the operation related to DNS MX records or MX resolution chains. In all cases, there is a registered domain, not under the control of the actor, called the target domain. I discuss three types of activity in this paper:

• Queries for MX records of a target domain
• Queries for MX records of random hostnames of a target domain
• Queries for A records of random hostnames of a target domain

Queries for random hostnames of a target domain typify a Slow Drip DDoS attack; however, Muddling Meerkat queries differ from those in ExploderBot or other Slow Drip attacks. The hostnames are short. Additionally, while some Slow Drip attacks do include a range of query types, the most common type is still an A record for an IPv4 address. I have not previously seen the type of MX record activity that characterizes Muddling Meerkat. The choice of target domains is also notable, as we’ll see later in the Muddling Meerkat Target Domains section.

[The GFW] selectively injects DNS responses for certain domain names with random misleading answers. When it inserts fake packets, it always returns an IPv4 address regardless of the requested record type. Muddling Meerkat, on the other hand, serves properly formatted fake MX records from Chinese IP addresses.

I have been unable to manually trigger fake MX responses from the GFW, for Muddling Meerkat target domains or others. Perhaps the records are produced instead by the GC or in a specific Muddling Meerkat operational context. For example, the responses might be triggered by signatures within the IP packet that identify the actor. We know that ExploderBot IP packets contained multiple artifacts that could serve as a check on the source, if desired.

The only IP addresses that answered queries for A records of Muddling Meerkat domains were in Chinese IP space. These IP addresses were not open on port 53, meaning they were not DNS resolvers. In other words, these answers came from the GFW and not the authoritative servers.

These results indicate that Muddling Meerkat is conducting operations that include DNS queries to a large number of destination IP addresses, regardless of their location or open ports, and that the GFW is injecting responses to these domains on specific days with a set of IP addresses that are used over time.

Indicators of Activity (Target Domains)

Note that these domains are not indicators of compromise or necessarily malicious. Some of the domains used by Muddling Meerkat are parked, others host gambling sites and other possibly illegal content, and others are active legitimate domains. The full scope of Muddling Meerkat target domains is likely much larger.

These domains host no website, host illegal content, or are parked. They likely can be blocked without impact: 4u.com, kb.com, oao.com, od.com, boxi.com, zc.com, s8.com, f4.com, b6.com, p3z.com, ob.com, eg.com, kok.com, gogo.com, aoa.com, gogo.com, zbo6.com, id.com, mv.com, nef.com, ntl.com, tv.com, 7ee.com, gb.com, tunk.org, q29.org

These domains host websites and blocking them may negatively affect your network: ni.com, tt.com, pr.com, dec.com

IP addresses used to launch attacks:

• 183.136.225.45
• 183.136.225.14