Hackers are stashing malware in a place thats largely out of the reach of most defensesinside domain name system (DNS) records that map domain names to their corresponding numerical IP addresses.The practice allows malicious scripts and early-stage malware to fetch binary files without having to download them from suspicious sites or attach them to emails, where they frequently get quarantined by antivirus software.
Thats because traffic for DNS lookups often goes largely unmonitored by many security tools.
Whereas web and email traffic is often closely scrutinized, DNS traffic largely represents a blind spot for such defenses.Researchers from DomainTools on Tuesday said they recently spotted the trick being used to host a malicious binary for Joke Screenmate, a strain of nuisance malware that interferes with normal and safe functions of a computer.
The file was converted from binary format into hexadecimal, an encoding scheme that uses the digits 0 through 9 and the letters A through F to represent binary values in a compact combination of characters.The hexadecimal representation was then broken up into hundreds of chunks.
Each chunk was stashed inside the DNS record of a different subdomain of the domain whitetreecollective[.]com.
Specifically, the chunks were placed inside the TXT record, a portion of a DNS record capable of storing any arbitrary text.
TXT records are often used to prove ownership of a site when setting up services like Google Workspace.An attacker who managed to get a toehold into a protected network could then retrieve each chunk using an innocuous-looking series of DNS requests, reassembling them, and then converting them back into binary format.
The technique allows the malware to be retrieved through traffic that can be hard to closely monitor.
As encrypted forms of IP lookupsknown as DOH (DNS over HTTPS) and DOT (DNS over TLS)gain adoption, the difficulty will likely grow.