As an important component of the internet architecture, the Domain Name System has historically played the role of an invisible intermediary converting human intent into machine-readable destinations without much scrutiny or suspicion. However, this quiet confidence has now been put to the test.
Research conducted by DomainTools has revealed a subtle yet consequential technique that redefines DNS into a covert delivery channel for malicious code rather than just a directory service.
Rather than hosting payloads on compromised servers or suspicious domains, attackers fragment malware into tiny segments and embed them in DNS TXT records scattered across a variety of subdomains.
The fragments appear harmless when isolated, indistinguishable from legitimate configuration information. However, after systematically querying and reassembling-often by scripting PowerShell commands-the pieces combine to form fully functional malware.
As a result of the implicit trust placed in DNS traffic and the limited visibility many organizations maintain over it, this methodical approach is inexpensive, methodical, and quiet.
According to a report by Ars Technica, DNS infrastructure abuse is not merely theoretical. Threat actors have operationalized the technique in a manner that has been remarkable in its precision. In that instance, the malicious payload was converted into hexadecimal form and separated into hundreds of discrete chunks.
As a result of the registration of whitetreecollective.com and generation of a large number of subdomains, the operators assigned each fragment to a distinct TXT record of the host.
These records, individually, appeared to be indistinguishable from routine DNS metadata which is commonly used for verifying domains, authenticating email, and establishing service configurations. Collectively, however, they constitute a malware repository incorporated into the DNS infrastructure as a whole.
Upon establishing foothold access inside a target environment, the reconstruction process did not require any more conspicuous methods than a series of DNS queries.
Each encoded fragment was retrieved individually using scripted queries, which allowed the payload to be assembled in memory without the need for conventional file downloads or suspicious HTTP traffic.
This retrieval mechanism blends seamlessly into ordinary network activity since DNS requests are ubiquitous and rarely subject to deep inspection, particularly in environments requiring encrypted resolvers.
Even though DNS tunneling has long been associated with data exfiltration and command-and-control communications, the deliberate hosting of malicious payloads across TXT records represents a more assertive evolution in this area.
Through the campaign, people illustrate the importance of comprehensive DNS telemetry, anomaly detection, and policy enforcement within modern enterprise security architectures, and demonstrate how foundational internet protocols, when inadequately monitored, can be repurposed into resilient delivery channels.
Furthermore, investigations into DNS-enabled threat infrastructure revealed the activities of a threat actor identified as Detour Dog, who was the key enabler for campaigns to distribute the Strela Stealer malware. In accordance with Infoblox analysis, the actor is in control of domains hosting the initial malware component a lightweight backdoor called StarFish that
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article:
Like this:
Like Loading...
Related
