Listen to this Post
A newly discovered phishing-as-a-service (PhaaS) operation, dubbed Morphing Meerkat, leverages DNS over HTTPS (DoH) to bypass traditional security measures. This technique obscures malicious domain queries within encrypted HTTPS traffic, making detection harder for defenders.
➡️ Source: BleepingComputer
You Should Know: How to Detect & Mitigate DoH-Based Phishing
1. Detecting DoH Traffic
DoH uses port 443 (like regular HTTPS), so traditional DNS monitoring tools may miss it. Use these methods:
Linux (Using tshark)
tshark -i eth0 -Y "tcp.port == 443 && http.host contains 'dns'" -V
This filters HTTPS traffic containing DNS queries.
Windows (PowerShell)
Get-NetTCPConnection -State Established | Where-Object { $_.RemotePort -eq 443 } | Select-Object OwningProcess, RemoteAddress
Check for suspicious DoH endpoints like `cloudflare-dns.com` or dns.google.
2. Blocking Known PhaaS DoH Providers
Update firewall rules to block DoH endpoints used by attackers:
Linux (iptables)
sudo iptables -A OUTPUT -p tcp --dport 443 -d 1.1.1.1 -j DROP Block Cloudflare DoH sudo iptables -A OUTPUT -p tcp --dport 443 -d 8.8.8.8 -j DROP Block Google DoH
Windows (Firewall Rule via PowerShell)
New-NetFirewallRule -DisplayName "Block Cloudflare DoH" -Direction Outbound -RemoteAddress 1.1.1.1 -Action Block New-NetFirewallRule -DisplayName "Block Google DoH" -Direction Outbound -RemoteAddress 8.8.8.8 -Action Block
3. Monitoring for Malicious DoH Activity
Use Zeek (Bro) to log DoH requests:
echo '@load protocols/http/detect-DoH' >> /usr/local/zeek/share/zeek/site/local.zeek zeek -i eth0 -C
Check logs at `/usr/local/zeek/logs/` for unusual DoH patterns.
4. Enforcing Secure DNS in Enterprise Networks
Force clients to use your internal DNS resolver:
Linux (via systemd-resolved)
sudo nano /etc/systemd/resolved.conf
Add:
DNS=192.168.1.1 Your internal DNS DNSOverTLS=yes
Restart:
sudo systemctl restart systemd-resolved
Windows (via Group Policy)
1. Open gpedit.msc
2. Navigate to:
`Computer Configuration > Administrative Templates > Network > DNS Client`
3. Enable “Configure DNS over HTTPS” and set to “Disabled”.
What Undercode Say
Morphing Meerkat highlights the growing sophistication of phishing campaigns. Defenders must:
– Monitor encrypted DNS traffic (DoH/DoT) for anomalies.
– Block unauthorized DoH resolvers in corporate environments.
– Deploy TLS inspection where feasible to detect hidden threats.
– Educate users on phishing tactics, as technical controls alone aren’t foolproof.
Relevant Commands Recap:
– `tshark` for DoH traffic inspection.
– iptables/nftables for blocking malicious DoH.
– Zeek for network-level DoH detection.
– Group Policy for enforcing secure DNS in Windows.
Expected Output:
A hardened network with monitored/restricted DoH usage, reducing the risk of undetected phishing campaigns.
➡️ Reference: BleepingComputer
References:
Reported By: Bleepingcomputer A – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
