Hackers Exploit a Blind Spot By Hiding Malware Inside DNS Records

Hackers are hiding malware inside DNS records, allowing malicious code to bypass security defenses that typically monitor web and email traffic. DomainTools researchers discovered the technique being used to host Joke Screenmate malware, with binary files converted to hexadecimal format and broken into chunks stored in TXT records across subdomains of whitetreecollective[.]com.

Attackers retrieve the chunks through DNS requests and reassemble them into executable malware. The method exploits a blind spot in security monitoring, as DNS traffic often goes unscrutinized compared to other network activity.

2004 called

[DarkOx]

Excuse me 2004 is on the line, and is wondering when 2025 plans to return its favorite side channel communications mechanism.

Re:

[GoTeam]

Excuse me 2004 is on the line, and is wondering when 2025 plans to return its favorite side channel communications mechanism.

For the type they're talking about (hiding malware in hexadecimal format within the DNS records) is relatively new (I see some reference to it in 2017). The method that's been around forever has been hijacking your DNS records to redirect traffic from known "safe" sites, to their malware based copy.

Re:

[ls671]

I think he is referring to vpn like and/or other type of channels which implement communication over dns and yes it's been around for quite a while.

Re: 2004 called

[iggymanz]

it's totally harmless unless your machine is already compromised and has malware assembling dns request TXT records into executables.

but that's not how the chicken littles of the security craze fad will squawk about it.

Re:

[GoTeam]

it's totally harmless unless your machine is already compromised and has malware assembling dns request TXT records into executables.

but that's not how the chicken littles of the security craze fad will squawk about it.

Very true. I was just noting the difference between the "older" DNS exploits and the "newer" ones. Both do require an internal compromise of your systems to be harmful, their methods are just different.

Re:

[ls671]

Using vpn over dns or communicate over dns doesn't need anything to be compromised. See link below:
https://github.com/AlexandreFe... [github.com]

One would typically use it in a corporate environment to connect somewhere he can't otherwise at the risk of getting in trouble if he is discovered.

Re:

[GoTeam]

Using vpn over dns or communicate over dns doesn't need anything to be compromised. See link below: https://github.com/AlexandreFe... [github.com]

One would typically use it in a corporate environment to connect somewhere he can't otherwise at the risk of getting in trouble if he is discovered.

Heh, where I work, allowing someone to use a non-business related VPN is the compromising the environment. I suppose I'd also consider my ISP getting their infrastructure compromised counting as well (if we actually used their DNS...).

Re:

[ls671]

My point was that you seem to be confusing DNS exploits with using DNS to communicate and exchange information, typically with TXT records as it is done for all kind of purposes.

Re:

[DarkOx]

Yes i was thinking of VPN over DNS and things of that nature.

I agree this is 'different' but the concept of using DNS infrastructure as a C&C channel or payload distribution mechanism is old. Threat actors have been ab-using DNS now for a long time, DNS should not be a 'Blind Spot' in the world of monitoring and detection.

Re:

[sabbede]

Couldn't that malware be a browser opening a specially designed website/file that fetches the malicious records as part of loading external resources?

chunked hex

[Spazmania]

Because protection mechanisms for HTTPS are on the lookout for code broken into chunks and sent in hexidecimal while the DNS protections are not. Sure. Pull the other one.

Re: chunked hex

[iggymanz]

this TXT record thing is harmless unless your machine is already compromised. TXT records don't get assembled into binaries and executed unless you've already completely and utterly lost the security battle

Don't allow arbitrary execution

[The-Ixian]

There are hundreds of ways to get code onto a computer. The trick is to not allow it to execute.

Re:

[akw0088]

People executing the code are not the brightness tools in the box

Re:

[93 Escort Wagon]

Nor the sharpest bulbs?

Re: Don't allow arbitrary execution

[ihavesaxwithcollies]

Stable genius! No dementia at all.

Re:

[Anonymous Coward]

Try dropping a few rigged USB sticks in the parking lot at work, see what happens.

I am a bird

[Random361]

I am a bird and am free to sing beautiful birdsongs.

Re: I am a bird

[Filgy]

I am a crow and my ancestors have sung to me about the asshole farmers here that will try to spray u with BB's and eat u or wrap u in plastic.

Re:

[Kernel Kurtz]

I am a crow and my ancestors have sung to me about the asshole farmers here that will try to spray u with BB's and eat u or wrap u in plastic.

Do people really eat crow? I thought it was just a figure of speech...

Re:

[test321]

I looked it up, and Internet says "Historically, parts of East Asia, including China and South Korea"; "Some specific communities in Pacific Island cultures"; "Some Native American tribes." https://birdsnews.com/is-crow-... [birdsnews.com]

Re:

[Kernel Kurtz]

I should not be surprised. Someone, somewhere probably eats pretty much everything edible.

I suppose it's an interesting concept

[93 Escort Wagon]

However, as the article points out - the attacker has to already have gotten operational software onto your system for this to be useful to them. If they're pulling pieces that aren't, in themselves, harmful... antivirus isn't going to flag the traffic regardless. Which is an approach we've known about for some time.

Re:

[sabbede]

It could be something very lightweight that does nothing suspicious as it downloads a very malicious payload from so many sources that IDS and EDR can't detect it.

I don't know about yours, but my DNS filters pretty much just look at A records.

Re:

[CAIMLAS]

It's relying on LLMs being able to search the internet for things. It goes somethign like this:

LLM searches for something, ends up on a site.
Site has multiple links embedded in it with said DNS payloads.
DNS lookup occurs.
LLM 'reads' said payload.

Why is this a blind spot?

[Nkwe]

The real malware is the code that is performing the DNS queries and assembling the results into other malware. Sure, this mechanism would bypass normal code scanning on Internet downloads, but that code scanning should have already caught the code making the DNS queries and executing the resultant binaries.

Re:

[Synonymous Homonym]

The real malware is the code that is performing the DNS queries and assembling the results into other malware.

So: host, nslookup, dig, dnsip, and related tools are malware now? Including libresolv, and equivalents in Rust and Go? Also the Python standard modules, of course?

Re:

[allo]

The script that combines these to retrieve and execute malware is.

Re:

[suutar]

Yeah, but until someone notices, identifies it, and adds a signature for it, there's no indication that what it's doing is worse than legitimate tools =/

Re:

[MachineShedFred]

That's what I'm wondering.

How is this any different from using FTP to download malware, and then execute it?

Nothing in a DNS client is going to execute what is stored in a TXT record by itself. Nothing in any DNS client is going to unzip / un-base64 it, mark it executable, and run it without someone being there to do that, or some script being written to do it that is being executed with the requisite permissions, so this is no different than any other file transfer medium other than being obfuscated in a

Meh

[allo]

It's not like your computer is assembling TXT records into binaries on its own. The malware is already on the device, the TXT records are only additional data.

Re:

[Narcocide]

Windows 11 discovered to be doing this by default as a "feature" in 3, 2, 1...

Re:

[sabbede]

Can't websites do that? MXToolbox.com shows me the content of TXT records all the time. Why couldn't MXToolb0x.com do the same, but assemble the fetched records into something unfriendly?

Re:

[mrbester]

Hex is just hex until you chmod it -x.

I've got the DeCSS T-shirt, but it can't execute the code printed on it. At least, I don't think so, I've never thought of waving it in the general direction of a DVD to find out...

Re:

[Todd Knarr]

It's very critical additional data, though. The idea is the basic malware doesn't have anything truly alarming in it, so it's easier to obfuscate it to slip by the filters. Once it's running, it can download the really dangerous stuff via TXT records, which won't be checked for alarming/dangerous content, and set that up behind the filters without triggering them. It does all that in memory, without giving any indication of touching files, and then once the code's gotten root access it can persist things to

Abuse of TXT records

[Todd Knarr]

This is compounded by the (ab)use of TXT records to store arbitrary records without needing to extend the set of DNS record types. Having explicit types of DNS records improves syntax filtering, making it difficult to impossible to abuse those records this way. Limiting TXT records to only their original purpose (instead of putting SPF, DMARC, DKIM and other types inside them) would allow heavy-handed filtering of attempts to pass arbitrary data in large quantities through TXT records without impacting any

This technique is +30 years old

[thesjaakspoiler]

I recall someone hacking the Dutch Greenpoint phones by sending all traffic over a DNS server in 1992.