DNS tunneling is a hacking technique that hides information by taking advantage of the DNS protocol. This attack enables threat actors to evade firewalls and security measures.
Hackers retrieve information usually encoded in DNS queries and responses. This allows them to “exfiltrate sensitive information” and maintain “C&C” over compromised systems.
Unit 42 of Palo Alto Networks recently discovered that hackers have been actively exploiting DNS tunneling services to bypass network firewalls.
Network Firewall Bypass Via DNS Tunneling
DNS tunneling converts human-readable domain names into machine-readable IP addresses (like “192.168.1.1”).
This attack targets port 53 (both “UDP” and “TCP”), which is commonly left open and unmonitored in organizational firewalls for DNS communications.
In this attack method, threat actors “first infect a client system with malware,” then “encode stolen data within subdomain queries” (like ‘stolen-data.attacker-domain[.]com’).
Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try for Free
Then transmit it via “DNS requests” to their authoritative ‘DNS’ (aDNS) servers, which they control.
The attack achieves stealth by using “recurring DNS servers” as mediators, which makes the malicious traffic appear as “legitimate DNS queries.”
By encoding instructions in DNS responses the threat actors can also send commands back to infected systems. This helps in establishing a hidden “C2” channel.
This technique has been notably employed by threat groups like “Evasive Serpens” (aka ‘OilRig’) and “Obscure Serpens” (aka ‘DarkHydrus’) against critical infrastructure.
To maintain their attack infrastructure, they use specific attributes:-
- Consistent DNS configurations
- Payload encoding patterns
- Domain registration characteristics
Besides this, cybersecurity analysts have discovered 4 malicious campaigns, and they are, “FinHealthXDS,” “RussianSite,” “8NS,” and “NSfinder.”
The “FinHealthXDS” campaign targets finance and healthcare industries using a customized DNS beaconing format for Cobalt Strike C2 communications.
To indicate command requests it make use of the unique three-letter prefixes like “xds,” in ‘DNS queries.’
The campaign resolves to IPs like “40.112.72[. ]205” and uses “XOR calculations” on the last byte of the ‘IP’ to interpret commands.
Data transfer is achieved via either “A records” (prefix “pro”) or “TXT records” (prefix “snd”). The prefixes “txt” (‘short messages’) and “del” (‘long messages’) are used for exfiltration.
The “RussianSite” tunneling campaign involves over “100 domains” sharing the nameserver “IP 185.161.248[. ]253” from Russia. Most domains use the “TLD.site,” with a few using “.website.”
Here, the campaign’s subdomains consist of a “5-character alphanumeric payload” and a “1-2 letter padding.” ‘A’ records are globally distributed, but a valid “aDNS” IP is needed for tunneling, reads the Palo Alto report.
The “8NS” tunneling campaign involves “6 domains” with “identical DNS configurations” and “aDNS server IP 35.205.61[. ]67.”
Each domain has 8 “NS records,” and all of them are found pointing to the same A record. The “NSfinder” campaign targets over “50 domains,” each named using three words with “finder” at the end.
It lures victims through adult websites to ‘steal credit card info’ and is linked to Trojans like “IcedID” and “RedLine” stealer.
DNS tunneling campaigns share distinct “identifying attributes” like “infrastructure setup,” “DNS configurations,” “payload encoding methods,” “domain registration patterns,” and “target selection.”
All these elements make it a significant threat in the cybersecurity landscape.
IoCs
Domains
- avtomaty-bcg[.]online
- codeaddon[.]net
- dreyzek[.]com
- dtodcart[.]site
- foxxbank[.]com
- healthproreview[.]com
- juicyplaymatesfinder[.]com
- lifemedicalplus[.]net
- linkwide[.]site
- lustypartnersfinder[.]com
- mouvobo[.]site
- mponiem[.]site
- ns2000wip[.]com
- piquantchicksfinder[.]com
- pretorya[.]site
- sosua[.]cz
- soupandselfcare[].com
- unlimitedpartnersfinder[.]com
- yummyflingsfinder[.]com
- yummyloversfinder[.]com
- zzczloh[.]site
IP Addresses
- 88.119.169[.]205
- 185.161.248[.]253
- 185.176.220[.]80
- 185.176.220[.]212
Samples
- 0b99db286f3708fedf7e2bb8f24df1af13811fe46b017b6c3e7e002852479430
- c22d25107e48962b162c935a712240c0a4486b38891855f0e53d5eb972406782
- c3a29c2457f33e54298a1c72a967aa161a96b0ae62ffbefe9e5e1c2057d7f3f4
- dfb3e5f557a17c8cdebdb5b371cf38c5a7ab491b2aeaad6b4e76459a05b44f28
Strategies to Protect Websites & APIs from Malware Attack => Free Webinar