Hackers Hide Malware in DNS Records to Evade Detection
▼ Summary
– Hackers are hiding malware in DNS records, which are often overlooked by security tools, making detection difficult.
– Malicious scripts use DNS records to fetch binary files without downloading from suspicious sites or email attachments, bypassing antivirus checks.
– Researchers found a Joke Screenmate malware binary converted to hexadecimal and split into chunks stored in DNS TXT records of subdomains.
– Attackers can retrieve these chunks via DNS requests, reassemble them, and convert them back into executable malware.
– The use of encrypted DNS (DOH/DOT) increases the challenge of monitoring and preventing such malware retrieval.
Cybercriminals are exploiting DNS records to conceal malware, bypassing traditional security measures by hiding malicious code in plain sight. This stealthy technique leverages the domain name system, a foundational internet protocol, to distribute harmful payloads while evading detection.
Security experts have observed attackers converting malware binaries into hexadecimal format, breaking them into fragments, and embedding these pieces across multiple DNS subdomains. The TXT record field, typically used for verification purposes, becomes an unexpected vehicle for smuggling malicious scripts. Unlike email attachments or direct downloads from suspicious websites, DNS traffic often flies under the radar of conventional security tools, making this method particularly effective.
A recent case uncovered by researchers involved the Joke Screenmate malware, which was distributed via the domain whitetreecollective[.]com. The attackers split the malware into hundreds of hexadecimal chunks, storing each segment in separate TXT records. When executed, a script reassembled these fragments into a functional binary, allowing the malware to operate undetected.
What makes this approach especially concerning is its ability to blend in with legitimate DNS activity. As encrypted DNS protocols like DNS over HTTPS (DoH) and DNS over TLS (DoT) become more widespread, monitoring such covert exchanges will grow increasingly difficult. Security teams must adapt by scrutinizing DNS traffic more closely, as threat actors continue to exploit overlooked vulnerabilities in fundamental internet infrastructure.
The shift toward DNS-based malware distribution highlights the need for advanced threat detection strategies. Organizations should consider deploying behavioral analytics and anomaly detection tools to identify unusual DNS patterns before attackers can execute their payloads. Without proactive measures, this stealthy tactic could become a preferred method for evading security defenses.
(Source: Ars Technica)