Muddling Meerkat APT
An undisclosed cyber threat named the Muddling Meerkat has emerged, engaging in sophisticated Domain Name System (DNS) activities since October 2019. It is likely to avoid security measures and gather intelligence from global networks.
Researchers believe the threat is linked to the People's Republic of China (PRC) and suspect the actor has control over the Great Firewall (GFW), which is used to censor foreign websites and manipulate internet traffic.
The hacker group's name reflects the complex and confusing nature of their operations, including the misuse of DNS open resolvers (servers that accept queries from any IP address) to send requests from Chinese IP addresses.
Table of Contents
Cybercriminals Display Unusual Characteristics When Compared to Other Hacker Groups
Muddling Meerkat demonstrates a sophisticated understanding of DNS that is uncommon among threat actors today – clearly pointing out that DNS is a powerful weapon leveraged by adversaries. More specifically, it entails triggering DNS queries for mail exchange (MX) and other record types to domains not owned by the actor but which reside under well-known top-level domains such as .com and .org.
Researchers that have recorded the requests that were sent to its recursive resolvers by customer devices said it detected over 20 such domains, with some examples being:
4u[.]com, kb[.]com, oao[.]com, od[.]com, boxi[.]com, zc[.]com, f4[.]com, b6[.]com, p3z[.]com, ob[.]com, eg[.]com, kok[.]com, gogo[.]com, aoa[.]com, gogo[.]com, id[.]com, mv[.]com, nef[.]com, ntl[.]com, tv[.]com, 7ee[.]com, gb[.]com, q29[.]org, ni[.]com, tt[.]com, pr[.]com, dec[.]com
The Muddling Meerkat elicits a special kind of fake DNS MX record from the Great Firewall, which has never been seen before. For this to happen, Muddling Meerkat must have a relationship with the GFW operators. The target domains are the domains used in the queries, so they are not necessarily the target of an attack. It is the domain used to carry out the probe attack. These domains are not owned by the Muddling Meerkat.
How Does the Great Firewall of China Operate?
The Great Firewall (GFW) uses DNS spoofing and tampering techniques to manipulate DNS responses. When a user's request matches a banned keyword or domain, the GFW injects fake DNS responses containing random real IP addresses.
In simpler terms, if a user tries to access a blocked keyword or domain, the GFW intervenes to prevent access by either blocking or redirecting the query. This interference is achieved through methods like DNS cache poisoning or IP address blocking.
This process involves the GFW detecting queries to blocked websites and responding with fake DNS replies containing invalid IP addresses or IPs leading to different domains. This action effectively disrupts the cache of recursive DNS servers within its jurisdiction.
The Muddling Meerkat is Likely a Chinese Nation-State Threat Actor
The standout characteristic of Muddling Meerkat is its use of false MX record responses originating from Chinese IP addresses, a departure from the typical Great Firewall (GFW) behavior.
These responses come from Chinese IP addresses that do not typically host DNS services and contain inaccurate information consistent with GFW practices. However, unlike the GFW's known methods, Muddling Meerkat's responses include properly formatted MX resource records instead of IPv4 addresses.
The precise purpose behind this ongoing activity spanning multiple years remains unclear, though it suggests potential involvement in internet mapping or related research.
The Muddling Meerkat, attributed to a Chinese state actor, conducts deliberate and sophisticated DNS operations against global networks nearly every day, with the full extent of their activities spanning various locations.
Understanding and detecting malware is more straightforward compared to grasping DNS activities. While researchers recognize something is happening, complete understanding eludes them. CISA, the FBI, and other agencies continue to caution about undetected Chinese operations.
