Hackers Abuse DNS Blind Spots to Stealthily Deliver Malware

Cybersecurity researchers have uncovered a sophisticated technique where threat actors are exploiting DNS infrastructure to covertly store and distribute malware, turning the internet’s domain name system into an unwitting accomplice for malicious activities.

The discovery reveals how attackers can hide executable files within DNS TXT records, creating a stealthy delivery mechanism that bypasses traditional security measures.

The attack method involves partitioning malware files into smaller segments and storing them across multiple DNS TXT records after converting them to hexadecimal format.

Security researchers analyzing passively collected DNS records found evidence of this technique being actively used between 2021-2022, with attackers embedding complete executable files within seemingly innocuous DNS entries.

“Files can be partitioned and stored in DNS TXT records, then retrieved via DNS requests and put back together,” explains the research findings.

This approach allows malicious files to persist until DNS servers remove or overwrite the records, effectively providing unauthorized data storage across the internet’s infrastructure.

Real-World Discovery

Investigators discovered suspicious activity across multiple domains, including “felix.stf.whitetreecollective[.]com,” which contained hundreds of subdomain entries, each storing different fragments of malware.

By analyzing the hexadecimal patterns and reassembling the fragmented data, researchers successfully reconstructed complete executable files that were identified as Joke Screenmate malware.

The malware samples, with SHA256 hashes 7ff0ecf2953b8662ede1577e330a514f09992c18aa3c14ed77cf2ffc115b0866 and e7b22ba761a7f853b63933ffe517cc61596710dbdee992a429ac1bc8d04186a1, represent prank software designed to disrupt user systems through fake error messages, difficult-to-close applications, and resource-consuming animations.

The investigation revealed more concerning discoveries beyond simple prank software. Researchers found DNS TXT records containing encoded PowerShell scripts that function as stagers for more sophisticated malware infections.

These scripts connect to command and control servers, specifically targeting Covenant C2 infrastructure through default endpoints like “/api/v1/nps/payload/stage1.”

The domain “drsmitty[.]com” was identified as hosting multiple malicious commands within its DNS records, with connections traced back to the C2 domain “cspg[.]pw.”

Historical analysis shows this technique has been in use since at least 2017, indicating a long-term campaign by threat actors.

This DNS-based malware delivery method presents significant challenges for cybersecurity professionals, as it exploits legitimate internet infrastructure to avoid detection.

The technique demonstrates how attackers continue to evolve their methods, finding new ways to abuse trusted systems for malicious purposes.

Organizations should implement comprehensive DNS monitoring and filtering solutions to detect unusual TXT record patterns and suspicious domain behaviors.

The discovery underscores the importance of treating DNS traffic as a potential attack vector rather than simply background internet functionality.

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now