Cybercriminals Exploit DNS Records for Malware and Scams

Hackers Exploit Blind Spots in DNS for Malware Delivery

Hackers are now utilizing domain name system (DNS) records to hide malware in a way that is difficult for most security measures to detect. This technique allows malicious scripts to fetch binary files without raising red flags, as DNS traffic is often less scrutinized compared to web and email communications. DomainTools researchers recently identified malware using this method to host a binary for Joke Screenmate, a type of nuisance malware. The file is encoded in hexadecimal and split into multiple chunks, each stored in the TXT records of different subdomains.

Ian Campbell, a security operations engineer at DomainTools, noted that legitimate organizations struggle to differentiate between authentic DNS requests and suspicious ones. With the rise of encrypted DNS methods like DNS over HTTPS (DoH) and DNS over TLS (DoT), monitoring DNS traffic has become even more challenging. The technique of embedding malicious content in DNS records is not new but has evolved, as seen in the use of PowerShell scripts to pull commands from DNS queries.

For further insights, refer to the following sources: DomainTools on malware in DNS, Ars Technica on PowerShell Trojans, Asher Falcon's blog.

DNS TXT Records as a Medium for Malware Execution

According to AhnLab's ASEC, malware can execute using DNS TXT records, a method not widely recognized but significant for detection and analysis. Originally, DNS TXT records served to input human-readable text for purposes like spam prevention and domain ownership verification. However, attackers are exploiting this functionality to execute malicious code.

A recent phishing email contained a PowerPoint add-in (PPAM) file that, when executed, initiated a PowerShell command to query its DNS TXT records for further instructions. This method allows attackers to bypass conventional anti-malware solutions by dynamically adjusting their commands through DNS queries.

For more details, check out AhnLab’s findings on malware execution and the implications of DNS filtering.

DNS Hijacking Techniques for Investment Scams

A new threat actor, known as Savvy Seahorse, is using DNS hijacking techniques to lure victims into fake investment schemes. The actor convinces users to create accounts on fraudulent platforms and deposits funds, which are then transferred to Russian accounts. This group employs DNS canonical name (CNAME) records to create a traffic distribution system that allows for evasion of detection.

Their campaigns target speakers of various languages and utilize social media ads to draw in potential victims. The use of CNAME records enables Savvy Seahorse to quickly adapt their tactics, creating new subdomains associated with the primary campaign domain, making it challenging for security measures to keep up.

For an in-depth look at this technique, refer to Infoblox's report and The Hacker News on investment scams.

Malware Using Google DNS Over HTTPS

Malware authors have exploited Google DNS over HTTPS to download malicious payloads. After gaining access to a Windows system, the malware uses PowerShell to query Google DNS for encoded payloads hidden in TXT records. Security researcher John Hammond from Huntress Labs highlighted how this method circumvents traditional DNS filtering as blocking HTTPS traffic is often not feasible.

The encoded payloads are cleverly disguised, making them appear as legitimate DNS records, which can mislead conventional detection systems. This dynamic approach allows attackers to modify their command-and-control infrastructure without needing direct access to the victim's system, enhancing their evasion tactics.

For further exploration of this topic, check out BleepingComputer's report and Huntress Labs' insights.