INSUBCONTINENT EXCLUSIVE:
domain names to their corresponding numerical IP addresses.The practice allows malicious scripts and early-stage malware to fetch binary
files without having to download them from suspicious sites or attach them to emails, where they frequently get quarantined by antivirus
Whereas web and email traffic is often closely scrutinized, DNS traffic largely represents a blind spot for such defenses.Researchers from
DomainTools on Tuesday said they recently spotted the trick being used to host a malicious binary for Joke Screenmate, a strain of nuisance
malware that interferes with normal and safe functions of a computer
The file was converted from binary format into hexadecimal, an encoding scheme that uses the digits 0 through 9 and the letters A through F
to represent binary values in a compact combination of characters.The hexadecimal representation was then broken up into hundreds of chunks
Each chunk was stashed inside the DNS record of a different subdomain of the domain whitetreecollective[.]com
Specifically, the chunks were placed inside the TXT record, a portion of a DNS record capable of storing any arbitrary text
TXT records are often used to prove ownership of a site when setting up services like Google Workspace.An attacker who managed to get a
toehold into a protected network could then retrieve each chunk using an innocuous-looking series of DNS requests, reassembling them, and
then converting them back into binary format
The technique allows the malware to be retrieved through traffic that can be hard to closely monitor
