Muddling Meerkat – Threat Actor

Overview

Muddling Meerkat is a newly identified cluster, believed to be a People’s Republic of China (PRC) nation-state actor. This group conducts active operations via DNS by generating large volumes of widely distributed queries, which are then propagated through the internet using open DNS resolvers. Their operations are closely linked with two major topics associated with China and Chinese actors: the Chinese Great Firewall (GFW) and Slow Drip, or random prefix, distributed denial-of-service (DDoS) attacks. At first glance, Muddling Meerkat’s activities resemble DNS DDoS attacks; however, it appears unlikely that their immediate goal is to cause a denial of service. Their operations are long-running, reportedly beginning in October 2019, with a notable increase in activity observed in September 2023, and exhibit a high level of expertise in DNS. Every aspect of Muddling Meerkat’s operations reflects sophistication and a profound understanding of DNS. The activities include behaviors not previously reported for the GFW, suggesting a connection to Chinese nation-state actors. While some aspects of their operations resemble Slow Drip attacks, the exact motivation and objectives of Muddling Meerkat remain unclear. Researchers’ major findings regarding Muddling Meerkat’s operations include:

• Using servers in Chinese IP space to conduct campaigns by making DNS queries for random subdomains to a wide array of IP addresses, including open resolvers.
• Inducing responses from the GFW that are not observed under normal circumstances.
• Incorporating false MX records from random Chinese IP addresses, a type of deception not previously reported for either the GFW or GC.
• Triggering MX record queries, along with other record types, for short random hostnames of a set of domains outside the actor’s control in the .com and .org top-level domains (TLDs) from devices distributed worldwide, likely using open resolvers.
• Using “super-aged” domains, typically registered before the year 2000, to avoid DNS blocklists and blend in with old malware.
• Selecting domains for abuse based on their length and age rather than their current status and ownership; while many of these domains are abandoned or repurposed for questionable use, others are actively used by legitimate entities.
• Conducting campaigns lasting one to three days, similar to ExploderBot (detailed below), on a fairly continuous basis.
• Avoiding large-scale spoofing of source IP addresses, instead initiating DNS queries from dedicated servers.
• Limiting the size of their operations to avoid detection and service disruptions like those caused by ExploderBot.
• Possibly conducting operations in discrete components, creating different DNS patterns over time.

Common targets

Networks worldwide

Attack Vectors

Slow Drip, or random prefix, DNS DDoS attack

How they operate

By analyzing massive volumes of DNS data, Infoblox researchers uncovered an activity they say could easily fly under the radar or be mistaken for benign behavior. DNS is a crucial component of the internet, translating human-readable domain names into IP addresses that computers use to identify each other on the network and establish connections. Muddling Meerkat manipulates DNS queries and responses by exploiting the mechanism through which resolvers return IP addresses. For instance, they can provoke false MX record responses from the Great Firewall (GFW) to interfere with routing and potentially misdirect emails. The GFW typically filters and blocks content by intercepting DNS queries and providing invalid responses, redirecting users away from certain sites. Muddling Meerkat’s activities cause it to issue fake responses that serve objectives such as testing the resilience and behavior of other networks. To further obscure their activities, Muddling Meerkat makes DNS requests for random subdomains of their target domains, which often don’t exist. Although this resembles an attack named “Slow Drip DDoS,” Infoblox notes that in Muddling Meerkat’s case, the queries are small in scale and aimed at testing rather than disruption. The threat actor also exploits open resolvers to obscure their activity and engages with both authoritative and recursive resolvers. Infoblox reports that Muddling Meerkat selects target domains with short names registered before 2000, making them less likely to be on DNS blocklists.

Recommendations

Actively seek out and eliminate open resolvers in your networks. Identifying these devices can be challenging, but companies like Infoblox and organizations like the Shadow Server Foundation can provide critical information to assist in this task. Do not use domains that you do not own for Active Directory or DNS search domains. This practice is highly likely to leak information about your network and user applications to the authoritative name server and other appliances outside your control. Such information can enable bad actors to perform passive reconnaissance of your network for targeted attacks. Incorporate DNS detection and response (DNSDR) into your security stack. Only a DNS resolver can effectively manage threats inherent in DNS. Most security products won’t even distinguish between an MX query and an A record query. Report Muddling Meerkat activity to the community. Since it is impossible to observe the entire scope of this threat from any one vantage point, crowdsourcing an understanding is crucial. Reporting additional Muddling Meerkat domains will help others identify open resolvers and related activity within their networks.

References:

• A CUNNING OPERATOR: MUDDLING MEERKAT AND CHINA’S GREAT FIREWALLThreat actor compromising Snowflake database customers
• MUDDLING MEERKAT: THE GREAT FIREWALL MANIPULATOR