Cybercriminals are increasingly using the Domain Name System (DNS) to store and retrieve malware, taking advantage of its typically low analysis by security measures. They convert malware files into hexadecimal format, split them into pieces, and store these parts in DNS TXT records. These records are easy to retrieve using standard DNS queries. The rise of encrypted DNS requests, such as DNS over HTTPS and DNS over TLS, complicates matters by limiting visibility into the content of DNS requests. This technique also has applications for delivering additional malware payloads.
Cybercriminals are using the Domain Name System (DNS) as an unconventional storage medium for malware. They package malware into small pieces and hide them in DNS TXT records, allowing secure retrieval through methods often overlooked by traditional security.
The malware file is converted to a hexadecimal representation, split into pieces, stored in TXT records of subdomains, and reassembled via DNS requests. DNS traffic is usually not thoroughly analyzed, making such operations go unnoticed.
Encrypted DNS requests through DOH and DOT further obscure visibility for security tools. Even those with their own DNS resolvers can struggle to distinguish between legitimate and suspicious requests.
Researchers identified other applications for this method, including stagers that retrieve further malware payloads. This shows the method's versatility in facilitating cybercrime.
Collection
[
|
...
]