Unit 42 details new uses of DNS tunneling beyond C2 and VPN, including scanning and tracking campaigns. The report covers TrkCdn, SpamTracker, and SecShow, outlining techniques, domains, IPs, and campaign lifecycles to help defenders detect and mitigate this threat. #TrkCdn #DarkHydrus #OilRig #xHunt #SUNBURST #DecoyDog #SpamTracker #SecShow
Keypoints
- DNS tunneling is used as a covert channel that can bypass conventional network firewalls, enabling C2 traffic and data exfiltration.
- Three campaigns are highlighted: TrkCdn (tracking emails via DNS subdomains), SpamTracker (spam/phishing with DNS-tunneled content), and SecShow (scanning open DNS resolvers).
- TrkCdn embeds MD5[email] values as DNS subdomains to track interaction with email content and logs DNS queries at attacker-controlled nameservers.
- SpamTracker uses phishing emails and links to drive victims to DNS-tunneled content hosted on attacker-controlled domains.
- SecShow demonstrates DNS tunneling used for network scanning and potential exposure of open resolvers and TTL data, with multiple use cases.
- Mitigation includes DNS-security monitoring and defensive steps like limiting resolver scope and updating resolver software to close N-day vulnerabilities.
MITRE Techniques
- [T1071.004] DNS – DNS-based C2 and data exfiltration via tunneling. “Malicious actors occasionally employ DNS tunneling as a covert communications channel, because it can bypass conventional network firewalls. This allows C2 traffic and data exfiltration that can remain hidden from some traditional detection methods.”
- [T1132] Data Encoding – Encoding victim data in DNS subdomains (e.g., MD5 of email addresses). “MD5 hash values represent email addresses in the DNS traffic. These MD5 values are subdomains for the DNS queries of a tunneling payload.”
- [T1566.002] Phishing: Spearphishing Link – Use of emails and links to deliver phishing content. “This campaign uses emails and website links to deliver spam and phishing content that covers the following subjects:”
- [T1046] Network Service Scanning – SecShow campaign scans for open resolvers and tests resolver delays; discovery of resolver vulnerabilities. “Threat actors leverage tunneling to periodically scan a victim’s network infrastructure, and then they typically perform reflection attacks.”
- [T1499] Denial of Service – Case 3 describes DNS amplification and related denial-of-service activities. “The payload starts with a counter padding… These are useful for some DNS threats such as DNS amplification distributed denial-of-service (DDoS) attacks.”
Indicators of Compromise
- [Domain] DNS tunneling domains – simitor[.]com, vibnere[.]com, and 2 more domains
- [IPv4] DNS tunneling activity IPs – 193.9.114[.]43, 35.75.233[.]210, and 2 more IPs
Read more: https://unit42.paloaltonetworks.com/three-dns-tunneling-campaigns/