Kaspersky Lab specialists told at the webinarthat back in May of this year, the Iranian hacker group Oilrig (APT34) was the first of all known APTs to adopt the DNS-over-HTTPS (DoH) protocol and uses it for lateral movement and data theft.
According to the company's expert Vincente Diaz, hackers use an open source utility to attack. DNSExfiltratorwhich can transfer data between two points using both classic DNS queries and the newer DoH protocol.
APT34 uses this tool for lateral movement of data on internal networks, as well as for information theft. Apparently, DoH is needed to avoid detection during data movement. The point is that DoH is currently the ideal channel for retrieving information. First, this is a new protocol that not even all security products can track yet. Secondly, DoH is encrypted by default, unlike regular DNS.
The researchers note that it is not surprising that Oilrig has adopted DoH. This group has historically specialized in data theft using DNS. For example, before DNSExfiltrator, hackers used a tool called DNSpionage for this purpose (since at least 2018).
It should be noted that Oilrig is the first APT to adopt DoH, but earlier hackers of a lower "rank" have already exploited the new protocol. For example, the protocol was abused by the Godlua malware detected by experts last year.