Hackers Exploiting Blind Spots in DNS Records to Store and Deliver Malware

A sophisticated new attack vector where malicious actors are hiding malware inside DNS records, exploiting a critical blind spot in most organizations’ security infrastructure.

This technique transforms the Internet’s Domain Name System into an unconventional file storage system, allowing attackers to distribute malware while evading traditional detection methods.

Recent investigations using DNSDB Scout, a passive DNS intelligence platform, have revealed that cybercriminals are partitioning malware files and storing them in DNS TXT records.

These records, designed initially to hold descriptive text for domains, can store arbitrary data that persists until DNS servers remove or overwrite the records.

The attack methodology involves converting malicious executable files into hexadecimal format, then fragmenting them across multiple subdomains.

DomainTools researchers discovered evidence of this technique by searching for magic file bytes in hexadecimal format using sophisticated regex patterns to identify various executable and common file types.

Malware in DNS TXT Records

During analysis of DNS records from 2021-2022, security researchers identified TXT records containing executable file headers across three different domains sharing identical subdomain patterns.

The most significant discovery involved the domain “*.felix.stf.whitetreecollective[.]com,” which contained hundreds of iterated subdomain integer values, each storing different fragments of an executable file.

By reassembling these fragments using the integer values as sequence markers, researchers successfully reconstructed complete malware files with SHA256 hashes:

• 7ff0ecf2953b8662ede1577e330a514f09992c18aa3c14ed77cf2ffc115b0866
• e7b22ba761a7f853b63933ffe517cc61596710dbdee992a429ac1bc8d04186a1

Both files were identified as Joke Screenmate malware, a form of prank software that exhibits several disruptive behaviors, including simulating destructive actions, interfering with user control, displaying unsolicited content, and causing system performance issues.

The investigation revealed a more concerning discovery: malicious PowerShell commands stored in TXT records.

Researchers found encoded stager scripts in DNS records associated with drsmitty[.]com that connect to cspg[.]pw, utilizing the default endpoint for a Covenant C2 server (/api/v1/nps/payload/stage1) to deliver next-stage payloads.

This technique represents a significant evolution in malware delivery, as security solutions often overlook DNS traffic compared to the extensive monitoring of web and email communications.

The same C2 domain was identified in DNS records dating back to July 2017, suggesting this attack vector has been operational for years.

DNS tunneling and malware storage exploit a fundamental weakness in enterprise security strategies. DNS is frequently left out of visibility and compliance planning, despite being the backbone of modern digital infrastructure.

Recent studies indicate that 90% of malware uses DNS in its kill chain, with 95% using DNS to communicate with command-and-control servers.

The rise of encrypted DNS protocols like DNS over HTTPS (DoH) and DNS over TLS (DoT) further complicates detection efforts. These technologies, designed to protect user privacy, also provide attackers with additional cover for their malicious activities.

Security experts emphasize that organizations must implement comprehensive DNS monitoring and filtering solutions to detect these sophisticated attacks.

As cybercriminals continue to exploit trusted protocols like DNS, enterprises can no longer afford to treat DNS as a simple utility service requiring minimal security oversight.

The discovery of this attack vector underscores the critical need for DNS security solutions that can distinguish between legitimate queries and those used for malicious purposes, transforming DNS from a security blind spot into a proactive defense mechanism.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now