Keypoints
- Four distinct DNS tunneling campaigns were detected and named: FinHealthXDS, RussianSite, 8NS, and NSfinder.
- DNS tunneling encodes nonβDNS traffic into DNS queries/responses for C2 and data exfiltration, often using custom prefixes and record types.
- A campaign monitoring system correlates domains by attributes (authoritative nameserver, DNS configuration, payload encoding, registration patterns, targets) using machine learning to surface new campaigns.
- FinHealthXDS uses customized Cobalt Strike DNS beacon formats with prefixes like xds/pro/snd/txt/del and aDNS IP 40.112.72[.]205; queries can use A or TXT records for commands/data.
- RussianSite clusters ~100 domains around a single aDNS IP 185.161.248[.]253 and .site TLDs with compact payload+padding subdomain formats.
- 8NS uses exactly eight NS records (ns1βns8) all resolving to the same aDNS IP 35.205.61[.]67; associated Hiloti malware uses generated host-based labels and registry-derived fields for DGA-style domains.
MITRE Techniques
- [T1041] Exfiltration Over Command and Control Channel β DNS tunneling is used to exfiltrate data via DNS queries (βAttackers use DNS tunneling to exfiltrate data through DNS queries.β)
- [T1071] Command and Control β DNS tunneling establishes C2 communications between infected hosts and attacker-controlled aDNS servers (βDNS tunneling is utilized for establishing command and control communications.β)
- [T1045] Data Encrypted β Payloads are encoded/obfuscated within DNS packets to evade detection (βData is encoded and transmitted within DNS packets to evade detection.β)
- [T1483] Domain Generation Algorithms β Malware generates dynamic domain names and structured subdomains for C2/client online messages (βMalware generates domains dynamically for C2 communication.β)
Indicators of Compromise
- [Domains] example campaign domains β foxxbank[.]com, pretorya[.]site, and 19 more domains (see article lists for full set)
- [IP Addresses] authoritative DNS / resolver IPs β 185.161.248[.]253 (RussianSite aDNS), 35.205.61[.]67 (8NS aDNS), and several other IPs used across campaigns
- [File hashes] malware samples β 0b99db286f3708fedf7e2bb8f24df1af13811fe46b017b6c3e7e002852479430 (Hiloti), dfb3e5f557a17c8cdebdb5b371cf38c5a7ab491b2aeaad6b4e76459a05b44f28 (IcedID), and 2 more hashes
- [Nameserver patterns] NS/subdomain patterns β ns[1-8].<rootdom> (8NS pattern) and ns500* tokens in subdomains (NSfinder) β e.g., ns1.lantzel[.]com, ns500505.yummyflingsfinder[.]com
The technical detection approach centers on correlating DNS tunneling detections by extracting and modeling domain attributes rather than treating domains in isolation. The monitoring system ingests daily tunneling detections and computes similarity across features such as authoritative nameserver ownership and IPs, DNS configuration templates (NS/A/TXT records and TTLs), lexical patterns in subdomains (prefixes, counters, padding), WHOIS registration timing/TLD usage, and observed target sectors. Machine learning groups domains with shared attribute vectors, enabling automated discovery of campaign clusters and rapid linking of new domains to existing campaigns.
Each discovered campaign exhibits distinct, actionable patterns. FinHealthXDS uses a customized Cobalt Strike DNS beaconing profile: short function prefixes (xds for command requests; pro for A-record data transfers; snd for TXT-based infiltration; txt/del for short/long exfiltration messages), with example queries like xds.5af195b6.gear.<rootdom> resolving to 40.112.72[.]205 and A/TXT responses indicating command modes (e.g., XOR of last byte to derive command). RussianSite is characterized by >100 .site domains that share a single aDNS IP 185.161.248[.]253 and a consistent subdomain format (5βchar payload + 1β2 char padding). 8NS domains publish eight NS records (ns1βns8) that all map to the same aDNS IP 35.205.61[.]67 and often set the root A record to that IP, a telltale sign of self-hosted authoritative servers; associated Hiloti samples generate elaborate DGA-like labels from host-specific fields (volume serial, registry-derived values, process/mutex indicators) and then perform DNS-based C2 and drop/inject routines. NSfinder domains use repeated ns500 tokens in long subdomain chains, short TTLs (60s), overlapping sets of aDNS/resolved IPs (e.g., 206.188.197[.]111, 185.81.114[.]183), and tie to commodity payloads like IcedID and RedLine in telemetry, making token patterns and nameserver IP overlap useful detection signals.
Operationally, defenders can operationalize these findings by flagging domains that match the attribute fingerprints (single aDNS IP across many domains, identical DNS config templates, repeated lexical prefixes/counters, ns500 token patterns, or 8-NS structures), correlating passive DNS and WHOIS timing, and blocking or sandboxing suspicious TXT/A replies that carry encoded payloads. Instrumenting DNS telemetry, applying clustering on attribute vectors, and maintaining IOC lists (domains, aDNS IPs, sample hashes) enables early detection of emergent tunneling campaigns and automated protection actions.
Read more: https://unit42.paloaltonetworks.com/detecting-dns-tunneling-campaigns/