Speaking in a webinar last week, Vincente Diaz, a malware analyst for antivirus maker Kaspersky, said the change happened in May this year when Oilrig added a new tool to its hacking arsenal.
According to Diaz, Oilrig operators began using a new utility called DNSExfiltrator as part of their intrusions into hacked networks.
DNSExfiltrator is an open-source project available on GitHub that creates covert communication channels by funneling data and hiding it inside non-standard protocols.
As its name hints, the tool can transfer data between two points using classic DNS requests, but it can also use the newer DoH protocol.
Diaz said Oilrig, also known as APT34, has been using DNSExfiltrator to move data laterally across internal networks, and then exfiltrate it to an outside point.
Oilrig is most likely using DoH as an exfiltration channel to avoid having its activities detected or monitored while moving stolen data.
This is because the DoH protocol is currently an ideal exfiltration channel for two primary reasons. First, it's a new protocol that not all security products are capable of monitoring. Second, it's encrypted by default, while DNS is cleartext.
Oilrig has a history with DNS exfiltration channels
The fact that Oilrig was one of the first APTs (Advanced Persistent Threats -- a term used to describe government-backed hacking groups) to deploy DoH is also not a surprise.
Historically, the group has dabbled with DNS-based exfiltration techniques. Before adopting the open-source DNSExfiltrator toolkit in May, the group had been using a custom-built tool named DNSpionage since at least 2018, per reports by Talos, NSFOCUS, and Palo Alto Networks.
In the May campaign, Kaspersky said Oilrig exfiltrated data via DoH to COVID-19-related domains.
During the same month, Reuters independently reported about a spear-phishing campaign orchestrated by unidentified Iranian hackers, who targeted the staff pharma giant Gilead, which at the time announced it began working on a treatment for the COVID-19 virus. It is, however, unclear if these are the same incidents.
Previous reporting has linked most Iranian APTs as working as members or working as contractors for the Islamic Revolutionary Guard Corps, Iran's top military entity.
But while Oilrig is the first publicly reported APT to use DoH, it is now the first malware operation to do so, in general. Godlua, a Lua-based Linux malware strain was the first to deploy DoH as part of its DDoS botnet in July 2019, according to a report from Netlab, a network threat hunting unit of Chinese cyber-security giant Qihoo 360.