Oilrig (APT34) have become the first publicly known group to use DNS-over-HTTPS (DoH) protocol as a Command and Control (C2) channel for its malware. According to Vincente Diaz of Kaspersky, the Iranian group was first observed implementing the protocol in May of 2020. The threat group modified the open-source project DNSExfiltrator, which works as a funnel for transferring data through protocols such as DNS that are not normally used to transmit information. Not only is DNSExfiltrator being used to move data, it’s also helping it stay unnoticed while they’re being carried out. It is believed that Oilrig used this method back in May to relay data in COVID-19 related attacks. All in all, it comes as no surprise that the DoH protocol is becoming adopted due to the fact that not all security defenses are able to detect it and it is also encrypted by default.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in