14 May 2024

Threat actors using DNS tunneling for scanning and tracking


Threat actors using DNS tunneling for scanning and tracking

Palo Alto Networks' Unit 42 security research team has uncovered cyber campaigns employing DNS tunneling for activities beyond conventional command-and-control (C2) and Virtual Private Network (VPN) purposes. These campaigns, dubbed “TrkCdn” and “SecShow,” showcase how malicious actors evolve their tactics to bypass traditional network security measures.

In the first campaign, “TrkCdn,” attackers focus on tracking victim interactions with phishing email content. By embedding content within emails, the attackers initiate DNS queries to subdomains under their control. Each subdomain's Fully Qualified Domain Name (FQDN) contains encoded content, facilitating covert communication.

“Each domain only uses a single nameserver IP address, while one nameserver IP address can serve up to 123 domains. These domains use the same DNS configurations and the same encoding method for their subdomains,”the report notes. “The attacker registered all domains under [.]com or [.]info TLDs and set domain names by combining two or three root words, which is a practice attackers use to avoid domain generation algorithm (DGA) detection.”

For instance, an encoded email address like "unit42@not-a-real-domain[.]com" is transformed into a subdomain, such as 4e09ef9806fb9af448a5efcd60395815.trk.simitor.com. This technique enables the tracking of victim interactions with email content, potentially leading to further malicious activities like advertisements, spam or phishing contents.

In the second campaign, “SecShow,” threat actors utilize DNS tunneling to scan network infrastructures. By embedding IP addresses and timestamps into DNS queries, attackers map out network layouts and identify configuration issues susceptible to exploitation. These queries are periodically repeated to gather real-time data and test network responses, primarily targeting open resolvers commonly found in education, high-tech, and government sectors.

To reduce the attack surface of DNS resolvers Palo Alto recommends that organizations control the service range of resolvers to accept necessary queries only and promptly update the resolver software version to prevent N-day vulnerabilities.

Back to the list

Latest Posts

Threat actors abusing Foxit PDF Reader flaw to deploy multiple malware variants

Threat actors abusing Foxit PDF Reader flaw to deploy multiple malware variants

The flaw involves Foxit PDF Reader's handling of pop-up messages.
20 May 2024
China-linked APT group uses malware to spy on commercial shipping

China-linked APT group uses malware to spy on commercial shipping

Mustang Panda infiltrated the computer systems of cargo shipping companies in Norway, Greece, and the Netherlands.
20 May 2024
The Grandoreiro malware is back up and running after January disruption

The Grandoreiro malware is back up and running after January disruption

Grandoreiro now targets over 1,500 banks worldwide, spanning more than 60 countries across Central and South America, Africa, Europe, and the Indo-Pacific region.
20 May 2024