The Great Firewall responds to Muddling Meerkat with a unique type of bogus DNS MX record that has never been observed before. Muddling Meerkat needs to have a connection with the GFW operators for this to occur. Although the target domain is the one used in the searches, an attack may not always be directed towards it. This is the domain where the probing attack is executed. Muddling Meerkat does not own any of these domains.

When a request matches a restricted phrase or a blacklisted domain, the GFW is reported to use a technique known as DNS spoofing and tampering to insert false DNS answers with random genuine IP addresses. Put otherwise, the GFW restricts or reroutes a user's website query in a way that keeps them from obtaining the requested content when they try to search for a prohibited term or phrase. Techniques like IP address blocking and DNS cache poisoning are used to accomplish this.

This implies that the GFW can successfully damage the cache of recursive DNS servers situated inside its borders if it detects a query to a restricted website. The sophisticated program does this by injecting a bogus DNS reply with an invalid IP address or an IP address to a different domain. The fact that fake MX record responses from Chinese IP addresses are present in Muddling Meerkat is its most notable characteristic. This behavior deviates from the GFW's typical behavior.

In line with the GFW, these resolves originate from Chinese IP addresses that do not host DNS services and provide bogus responses. But in contrast to the GFW's known behavior, correctly structured MX resource records rather than IPv4 addresses are included in Muddling Meerkat MX answers. While it's unclear exactly why the multi-year project was started, it was suggested that it might have been part of some sort of study project or internet mapping initiative.

Muddling Meerkat is a Chinese nation-state actor that practically every day conducts highly sophisticated and intentional DNS attacks against international networks; the entire extent of their activity is not visible in a single place. This is where malware differs from DNS in that it is easier to grasp once it has been found. The FBI, CISA, and other organizations are still alerting people about covert Chinese prepositioning activities. Anything that the users are unable to fully perceive or comprehend should be worrying.

Impact

• Security Bypass
• Identity Theft
• Cyber Espionage

Indicators of Compromise

IP

• 183.136.225.45
• 183.136.225.14

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Be vigilant when downloading software and double-check the URL to see if it is legitimate.
• Never download software from untrusted sources.
• Download apps only from official app stores like Google Play Store or Apple App Store. Avoid downloading apps from third-party websites or unofficial sources.
• Review the permissions requested by apps before installing them. Be cautious of apps that request unnecessary permissions or access to sensitive data.
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Keep your operating system and apps up-to-date with the latest security patches and updates
• Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Be cautious of unsolicited messages, emails, or links, especially from unknown or suspicious sources. Avoid clicking on suspicious links or downloading attachments from untrusted sources.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Regularly backup your data to a secure location, such as a cloud storage service or external hard drive.
• Develop and regularly update an incident response plan that outlines the steps to take in case of a security breach. Test the plan through simulations to ensure its effectiveness.