Ghost in the DNS: Muddling Meerkat Evades Detection
The hacker group, dubbed Muddling Meerkat by security researchers, has been utilizing sophisticated Domain Name System (DNS) methodologies to conduct espionage activities across global networks since October 2019.
According to Infoblox, a firm specializing in cloud security, this group is likely affiliated with China and can control the so-called Great Firewall of China (GFW), which censors access to foreign websites and manipulates the country’s internet traffic.
The operations of Muddling Meerkat are described as “perplexing,” reflecting their ability to use open DNS resolvers to send requests from Chinese IP spaces. Such actions demonstrate an advanced understanding of DNS, which experts believe makes this technology a powerful tool in the hands of hackers.
Muddling Meerkat’s tactics involve initiating DNS queries for mail exchanges (MX) and other types of records to domains not owned by the attackers but within well-known top-level domains such as “.com” and “.org”. Infoblox has identified over 20 such domains, many of which are old and were registered before 2000, allowing the hackers to remain undetected and evade blocking efforts.
Additionally, experts have observed attempts to use servers in Chinese IP spaces to create DNS queries to random subdomains of IP addresses worldwide, aligning with known GFW methods that employ DNS spoofing and manipulation to insert fake DNS responses containing random real IP addresses if the request matches a banned keyword or blocked domain.
A distinctive feature of the Muddling Meerkat group is the generation of false MX records from Chinese IP addresses, deviating from typical GFW behavior. These responses originate from IP addresses that do not provide DNS services and contain falsified data.
Renée Burton, Vice President of Threat Intelligence at Infoblox, emphasizes that this method of handling DNS queries is different from standard GFW practices. The precise motives behind Muddling Meerkat’s activities remain unclear, yet there is speculation that they may be linked to internet reconnaissance or some form of mapping operations.