A previously unreported cyber threat known as 'Muddling Meerkat' has been conducting sophisticated domain name system (DNS) activities since October 2019, in what appears to be an attempt to evade security measures and conduct global network reconnaissance.

Cloud security company Infoblox has identified this threat actor as likely being affiliated with the People's Republic of China (PRC), with the capability to control the Great Firewall (GFW). The GFW is known for its censorship of foreign websites and manipulation of internet traffic to and from China.

The operations of Muddling Meerkat involve triggering DNS queries for mail exchange (MX) and other record types to domains not owned by the actor, but which reside under well-known top-level domains such as .com and .org. Infoblox discovered this threat actor through anomalous DNS MX record requests sent to its recursive resolvers by customer devices.

According to Dr. Renée Burton, vice president of threat intelligence for Infoblox, "Muddling Meerkat elicits a special kind of fake DNS MX record from the Great Firewall which has never been seen before. For this to happen, Muddling Meerkat must have a relationship with the GFW operators."

The GFW is known to use DNS spoofing and tampering to inject fake DNS responses containing random real IP addresses when a request matches a banned keyword or a blocked domain. This technique effectively corrupts the cache of recursive DNS servers located within China's borders.

However, Muddling Meerkat's operations differ from the standard behavior of the GFW. "The most remarkable feature of Muddling Meerkat is the presence of false MX record responses from Chinese IP addresses," Burton said. "These resolutions are sourced from Chinese IP addresses that do not host DNS services and contain false answers, consistent with the GFW."

Infoblox, which discovered the threat actor from anomalous DNS MX record requests that were sent to its recursive resolvers by customer devices, said it detected over 20 such domains: 4u[.]com, kb[.]com, oao[.]com, od[.]com, boxi[.]com, zc[.]com, s8[.]com, f4[.]com, b6[.]com, p3z[.]com, ob[.]com, eg[.]com, kok[.]com, gogo[.]com, aoa[.]com, gogo[.]com, zbo6[.]com, id[.]com, mv[.]com, nef[.]com, ntl[.]com, tv[.]com, 7ee[.]com, gb[.]com, tunk[.]org, q29[.]org, ni[.]com, tt[.]com, pr[.]com, dec[.]com

The exact motive behind these multi-year activities remains unclear, although it is suggested that it may be part of an internet mapping effort or some form of research. Burton warns, "We should be worried about anything we can't fully see or understand."