Cybersecurity researchers have uncovered a new tactic employed by hackers to conceal malware within domain name system (DNS) records, a method that poses significant challenges for traditional defense mechanisms. This technique exploits the mapping of domain names to their respective numerical IP addresses, allowing malicious scripts to operate stealthily.
Recent findings from DomainTools indicate that attackers are using DNS records to host malicious binaries, including a variant of nuisance malware known as Joke Screenmate—software designed to interfere with normal computer operations. By converting binary files into hexadecimal format, hackers can fragment the data into multiple segments, which they then embed within the DNS records of various subdomains, such as those associated with whitetreecollective[.]com. This is accomplished through the TXT record section, typically utilized for legitimate purposes like verifying domain ownership with services such as Google Workspace.
Once an attacker gains access to a secure network, they can issue seemingly benign DNS queries to sequentially retrieve these fragmented chunks. The covert nature of this method complicates detection efforts; unlike email and web traffic, which are often subjected to rigorous monitoring, DNS traffic frequently escapes scrutiny. As encrypted forms of DNS queries, such as DNS over HTTPS (DoH) and DNS over TLS (DoT), become more widespread, accurately distinguishing between legitimate and malicious DNS requests will likely become even more challenging.
According to Ian Campbell, a senior security operations engineer at DomainTools, even well-resourced organizations struggle to differentiate between legitimate DNS traffic and anomalous requests when employing internal DNS resolvers. The encryption of DNS queries further obscures visibility, raising the risk of undetected malware retrieval through this channel.
Research indicates that this isn’t a novel approach. Attackers have previously utilized DNS records to host malicious PowerShell scripts. However, the specific technique of encoding malicious data as hexadecimal has garnered attention due to its relative obscurity in cybersecurity discussions. DomainTools also uncovered instances where DNS records contained prompts intended for hacking AI chatbots via prompt injection techniques. These prompt injections manipulate interactions by inserting commands that can undermine the chatbot’s operations, emphasizing the versatility of DNS records as a medium for cyber threats.
Examples of malicious prompts found in these records range from seemingly harmless requests to more drastic commands, including instructions to delete data or refuse future directives. The implications of such tactics are profound, as they exploit the inherent vulnerabilities in large language models, which often cannot distinguish between authorized commands and those embedded in untrusted content.
As this evolving landscape of cyber threats demonstrates, the DNS system—a fundamental component of internet infrastructure—can be both a potent tool for attackers and a significant blind spot for cybersecurity strategies. Business owners should be acutely aware of these risks and consider enhancing their monitoring capabilities to protect against covert data retrieval methods that exploit DNS traffic.
In light of these developments, the techniques likely employed by the adversaries include initial access via DNS manipulation, persistence through hidden malware storage, and potential privilege escalation during the retrieval process. The ongoing evolution of these tactics underscores the need for organizations to adopt a proactive stance on cybersecurity, reinforcing defenses against increasingly sophisticated threats in a complex digital environment.
