Palo Alto Networks' Unit 42 security research team has uncovered cyber campaigns employing DNS tunneling for activities beyond conventional command-and-control (C2) and Virtual Private Network (VPN) purposes. These campaigns, dubbed “TrkCdn” and “SecShow,” showcase how malicious actors evolve their tactics to bypass traditional network security measures.
In the first campaign, “TrkCdn,” attackers focus on tracking victim interactions with phishing email content. By embedding content within emails, the attackers initiate DNS queries to subdomains under their control. Each subdomain's Fully Qualified Domain Name (FQDN) contains encoded content, facilitating covert communication.
“Each domain only uses a single nameserver IP address, while one nameserver IP address can serve up to 123 domains. These domains use the same DNS configurations and the same encoding method for their subdomains,”the report notes. “The attacker registered all domains under [.]com or [.]info TLDs and set domain names by combining two or three root words, which is a practice attackers use to avoid domain generation algorithm (DGA) detection.”
For instance, an encoded email address like "unit42@not-a-real-domain[.]com" is transformed into a subdomain, such as 4e09ef9806fb9af448a5efcd60395815.trk.simitor.com. This technique enables the tracking of victim interactions with email content, potentially leading to further malicious activities like advertisements, spam or phishing contents.
In the second campaign, “SecShow,” threat actors utilize DNS tunneling to scan network infrastructures. By embedding IP addresses and timestamps into DNS queries, attackers map out network layouts and identify configuration issues susceptible to exploitation. These queries are periodically repeated to gather real-time data and test network responses, primarily targeting open resolvers commonly found in education, high-tech, and government sectors.
To reduce the attack surface of DNS resolvers Palo Alto recommends that organizations control the service range of resolvers to accept necessary queries only and promptly update the resolver software version to prevent N-day vulnerabilities.
