Hackers Use DNS Tunneling to Scan and Track Victims

Threat actors are using DNS tunneling to track when targets open phishing emails and click malicious links, as well as to scan networks for vulnerabilities. DNS tunneling involves encoding data or commands within DNS queries, turning DNS into a covert communication channel. The attackers use various encoding methods, such as Base16, Base64, or custom algorithms, to transmit data via DNS records like TXT, MX, CNAME, and Address records. This method allows hackers to bypass network firewalls and filters, facilitating command and control (C2) and VPN operations. While DNS tunneling has legitimate uses, such as bypassing censorship, it is also exploited for malicious purposes like data exfiltration and injection.

The "TrkCdn" campaign tracks victim interactions with phishing emails. Attackers embed content in emails that, when opened, performs DNS queries to attacker-controlled subdomains containing encoded data. For instance, a query might look like 4e09ef9806fb9af448a5efcd60395815.trk.simitor[.]com, where 4e09ef9806fb9af448a5efcd60395815 is the MD5 hash of an email address. These queries resolve to an attacker-controlled server delivering content such as advertisements, spam, or phishing material. This technique allows attackers to refine their strategies and confirm the delivery of malicious payloads.

The "SecShow" campaign uses DNS tunneling to scan network infrastructures. Attackers embed IP addresses and timestamps into DNS queries to map network layouts and identify configuration flaws for potential exploitation. These queries are repeated periodically to gather real-time data, detect status changes, and test network responses to unsolicited DNS requests.

Security Officer Comments:
Threat actors prefer DNS tunneling over traditional methods such as tracking pixels and regular network scanning tools for several compelling reasons. First, DNS tunneling can bypass security tools, effectively circumventing firewalls and intrusion detection systems designed to block malicious activities. This capability allows attackers to maintain covert communication channels without triggering security alarms. Additionally, encoded DNS traffic often goes unnoticed by standard security measures, helping attackers avoid detection. Furthermore, DNS tunneling offers operational versatility, enabling a wide range of malicious activities, including C2 operations, data exfiltration, and network reconnaissance. This flexibility makes DNS tunneling a highly attractive option for cybercriminals seeking to maximize the impact and reach of their attacks.

Suggested Corrections:
The DNS tunneling domains used in these campaigns can be detected by Palo Alto Networks firewall products. However, we also suggest the following measures to reduce the attack surface of DNS resolvers.

  • Control the service range of resolvers to accept necessary queries only
  • Promptly update the resolver software version to prevent N-day vulnerabilities