Threat actors have been observed employing DNS tunneling to track the delivery of spam emails and victims’ interaction with malicious domains, as well as to scan victims’ networks, Palo Alto Networks warns.
Used for roughly two decades, DNS tunneling is a covert communication method that allows attackers to transmit malware and data to and from victim networks using a client-server model.
As part of a DNS tunneling attack, the threat actor registers a domain with a name server pointing to the attacker’s server on which tunneling malware runs.
The attacker then infects a computer with malware and uses requests to the DNS resolver to connect to the attacker-controlled server and establish a DNS tunnel through the resolver, bypassing conventional network firewalls and staying undetected, as organizations do not usually monitor DNS traffic.
Typically, threat actors use DNS tunneling for command-and-control (C&C) communication and virtual private network (VPN) purposes, but three recent campaigns have shown that it can also be employed for activity tracking and network scanning.
For tracking, the attackers use malware that could embed user information and details of their actions into a DNS query’s unique subdomain that functions as tunneling payload.
The DNS queries are sent to an attacker-controlled nameserver that stores them, allowing the threat actor to use the unique subdomains and timestamps as a log of the victim’s activity.
As part of a campaign tracked as TrkCdn, which has targeted over 700 victims and has used 75 IP addresses resolving 658 domains, the attackers likely employ DNS tunneling to track victims’ interaction with malicious emails.
Once the victim opens the email or clicks on a link in it, embedded content generates a DNS query that is relayed to the attacker-controlled nameserver, which returns a DNS result leading to advertisements, spam, or phishing.
“For tracking purposes, attackers can query DNS logs from their authoritative nameservers and compare the payload with the hash values of the email addresses. This way, attackers can know when a specific victim opens one of their emails or clicks on a link, and they can monitor campaign performance,” Palo Alto Networks explains.
The attackers would register the domains used in this campaign two to 12 weeks before distributing them to the intended victims, and would continue to monitor the behavior for nine to 11 months. They would typically retire the domains after a year.
According to Palo Alto Networks, the attackers were seen registering new domains for this campaign between October 2020 and January 2024.
A second campaign, tracked as SpamTracker, has employed a similar technique to track spam delivery, and Palo Alto Networks has identified 44 domains associated with it.
A third campaign, named SecShow, has been relying on DNS tunneling to scan networks for vulnerabilities, and then perform reflection attacks.
Palo Alto Networks has observed the attackers scanning for open resolvers, testing resolver delays, exploiting security defects in resolvers, and harvesting time-to-live (TTL) information.
“This campaign generally targets open resolvers. As a result, we find victims mainly come from education, high tech, and government fields, where open resolvers are commonly found. This campaign contains three domains, leveraging various subdomains to achieve different network scanning,” Palo Alto Networks says.
To mitigate the risk associated with DNS tunneling, organizations are advised to prevent resolvers from accepting unnecessary queries and to make sure their resolvers are running the latest software versions, to prevent the exploitation of known vulnerabilities.
Related: Chinese Hackers Have Been Probing DNS Networks Globally for Years: Report
Related: KeyTrap DNS Attack Could Disable Large Parts of Internet: Researchers
Related: Dangling DNS Used to Hijack Subdomains of Major Organizations
