Hackers Are Finding New Ways to Hide Malware in DNS Records
Malicious hackers are exploiting a vulnerability in domain name system (DNS) records to hide malware, allowing them to bypass traditional security measures and infect computers without being detected.
DNS records map domain names to their corresponding numerical IP addresses, but attackers have found ways to stash malicious scripts and early-stage malware within these records. This technique allows the malware to fetch binary files without having to download them from suspicious sites or attach them to emails, where they frequently get quarantined by antivirus software.
The DNS record vulnerability represents a blind spot for many security tools, which often focus on web and email traffic rather than DNS traffic. Researchers from DomainTools recently discovered the tactic being used to host a malicious binary for Joke Screenmate, a strain of nuisance malware that interferes with normal computer functions.
The hexadecimal representation technique
Researchers found that the attackers converted the malicious binary into hexadecimal format and broke it up into hundreds of chunks. Each chunk was then stashed inside the DNS record of a different subdomain of the domain whitetreecollective[.]com.
Specifically, the chunks were placed inside the TXT record, a portion of a DNS record capable of storing any arbitrary text. The attackers used this technique to embed the malicious code in seemingly innocuous-looking DNS requests, making it difficult for security tools to detect.
The attack works like this
An attacker who gains access to a protected network can retrieve each chunk using an innocuous-looking series of DNS requests, reassembling them, and then converting them back into binary format. This allows the malware to be retrieved through traffic that can be hard to closely monitor.
As encrypted forms of IP lookups—known as DOH (DNS over HTTPS) and DOT (DNS over TLS)—gain adoption, the difficulty will likely grow for security teams to detect these types of attacks.
A growing concern
DomainTools' senior security operations engineer, Ian Campbell, said: “Even sophisticated organizations with their own in-network DNS resolvers have a hard time delineating authentic DNS traffic from anomalous requests, so it’s a route that’s been used before for malicious activity.”
Campbell also noted that the proliferation of DOH and DOT contributes to this by encrypting DNS traffic until it hits the resolver, making it even harder to detect suspicious activity.
Other tactics revealed
Researchers from DomainTools also discovered another technique used by attackers: embedding malicious code in TXT records for the domain 15392.484f5fa5d2.dnsm.in.drsmitty[.]com. This hexadecimal method, which was recently described in a blog post, is less well-known than other tactics.
Campbell also found DNS records that contained text for use in hacking AI chatbots through an exploit technique known as prompt injections. These prompts are embedded into documents or files being analyzed by the chatbot, allowing attackers to manipulate its behavior.
A strange and enchanting place
Campbell quipped: “Like the rest of the Internet, DNS can be a strange and enchanting place.” This story highlights the ever-evolving nature of cyber threats and the importance of staying vigilant in defending against them.