DNS Records Hijacked for Covert Malware Storage

Cybercriminals Exploit Protocol’s Blind Spots

Malicious actors are ingeniously weaponizing the Domain Name System (DNS), transforming it into an unlikely digital storage locker for malware. By concealing code fragments within DNS TXT records, attackers can discreetly exfiltrate and deploy harmful software, bypassing conventional security measures.

Hidden Threats Emerge in DNS Traffic

Researchers at DomainTools recently uncovered this technique, observing its use to host a malicious binary file associated with Joke Screenmate. This nuisance malware, known for disrupting computer operations through fake alerts or system slowdowns, was pieced together from DNS TXT records.

The method relies on converting malware into hexadecimal format, then segmenting it across various subdomains’ TXT records. These pieces are retrievable via standard DNS queries, allowing for reassembly into the original executable. Because this traffic often flies under the radar of typical security analysis, the operation can remain undetected.

Encrypted DNS Further Obscures Malicious Activity

The challenge is compounded by the increasing adoption of encrypted DNS protocols like DNS over HTTPS (DoH) and DNS over TLS (DoT). These encryption layers strip away visibility into DNS request contents, making it difficult for network administrators and security tools to differentiate legitimate traffic from covert operations, even for organizations managing their own DNS resolvers, according to Ian Campbell of DomainTools.

Diverse Applications Beyond Simple Storage

Beyond malware storage, this DNS exploitation has surfaced in other troubling applications. In one instance, DomainTools analysts found PowerShell scripts acting as malware stagers within TXT records, likely intended for integration into Covenant command-and-control frameworks. These scripts, designed to fetch their ultimate payload from different domains, only activate once initiated by a local process.

Furthermore, the technique has been employed for “prompt injection” attacks targeting AI chatbots. Predefined instructions embedded in DNS records can manipulate AI systems that process this text data, potentially leading to unauthorized data deletion or behavioral alterations in the AI models.

A Growing Attack Vector Demands New Defenses

This evolving tactic demonstrates that DNS is evolving beyond its intended function, becoming a significant vector for data theft, malware distribution, and system manipulation. A recent report highlighted that over 90% of organizations experienced at least one significant cyberattack in 2023, underscoring the need for enhanced vigilance against emerging threats (Statista 2024).

As long as DNS traffic monitoring capabilities lag behind these sophisticated evasion techniques, this overlooked protocol will remain a prime target for cybercriminals seeking to operate in the shadows.