Dns Tunneling And In The Wild Attribution

Disclaimer: This post is being actively updated. Updates are tracked at the bottom of this post

Disclaimer: Much of the information is compiled from my learning and online sources. Please be sure to double-check claims and references if you plan to use them.

Table of Contents

• Introduction
• Advanced Threats
• Active Research
• References
• Updates

What is DNS Tunneling

DNS tunneling is a technique used to evade network security controls. It uses the DNS protocol to allow attackers to hide data in DNS requests or open source tools to allow users to circumvent paid hotel Wi-Fi access control. The DNS protocol defined in RFC 1034 RFC 1035, was established to facilitate the naming of network resources and has since then been used in a wide variety of applications and more recently, protocol abuses. A deeper dive of the DNS system can be found in this Cloudflare blog.

The earliest documented discussion of DNS Tunneling was by Oskar Pearson on the Bugtraq mailing list in April 1998. As the technology has advanced, more advanced DNS Tunneling approaches leverage DoT (DNS-over-TLS) and DoH (DNS over HTTPS) to evade detection and prevention solutions. We will provide a deeper dive in a later blog post. The proceeding content will provide references to how this technique is used in the wild, tools and malware sources, and researched techniques for detecting and mitigating DNS Tunneling.

Advanced Threats

DNS Tunneling is a technique used by a wide range of APT groups which includes APT18, APT34, the Cobolt Group, the Anchor Group, ShadowPad, APT32 also known as Denis. A Chinese APT18, also known as Webky, was found using the technique in 2016. The DarkyHydrus group is documented using Google Drive for C2 Communication which is both interesting and novel. There are many documented zero-days exploitation and exfiltration techniques used by this group. I also want to note attribution tracking for this group is inconsistent based on sources.

APT34, also known as OilRig, is documented using the technique in their 2017 in BONDUPDATER and a 2018 DNSpoinage malware campaign. They improve their toolkit in 2020 when they leveraged an open source tool DNSExfiltrator to exfiltrate data. There are some very interesting write-ups on the techniques leveraged by this threat group, and I have linked them in the closing section for convenience.

Malware

Malware samples that use this technique include GodLua backdoor,

the Heyoka Backdoor attributed to Aoqin Dragon and tracked by SentinelLabs,

the MoustachedBouncer, FIN6 or FrameworkPOS,

InvisiMole,

Mori, the Snake Malware,

The SUNBURST campaign attributed to UNC2452 and APT29,

Snugy found in the xHunt Campaign and WellMess.

Notably, the GodLua backdoor, named by the discovering researchers based on its obfuscation technique and language of choice, connects infected machines to a larger botnet capable of launching DDoS attacks. The malware campaign is documented using DNS tunneling to communicate back to a C2 server.

If you are interested in finding more APT and other groups using covert channels, additional references to attribution can be referenced from MITRE ATT&CK. A deep dive into attacks is provided from a UNIT 42 blog post. Thanks for your interest in this blog. From this point on we will journey deeper into cutting edge defensive mechanisms against DNS tunneling attacks.

Research

To defend against these attacks, there are a couple strategies used in consumer products. End users can leverage access control lists (ACL) to block known malicious domains, traffic analysis techniques to monitor internal DNS activity or intrusion prevention systems (IPS). These techniques are not new. There are great resources and posts on the topic at Maarten Van Horenbeeck’s blog

In this section, we take a survey paper approach to summarize and reference relevant DNS Tunneling research. In order for this work to be complete and relevant, it will be updated regularly until a companion research paper is released.

Machine Learning Techniques

Researchers from the University of Brunswich generated the dataset CIC-Bell-DNS-EXF-2021 and demonstrated how machine learning can be leveraged for detection DNS tunneling attacks in their paper.

Statistical Analysis

Packet Inspection

References

Included source were not directly linked in the blog posts or are included for future reference

Sources

• Iranian hacker group becomes first known APT to weaponize DNS-over-HTTPS (DoH)
• An Analysis of Godlua Backdoor
• DNS Tunneling: how DNS can be (ab)used by malicious actors
• How the APT34 uses Saitama Backdoor for DNS tunneling
• GodLua Presentation
• A Guide to Understanding Covert Channels

Tools

• NSTX
• iodine
• DNS2TCP
• DNScat
• TUNS
• OzymanDNS
  • source
• DNSExfiltrator

Malware

• UPDoS
• GodLua backdoor
• Saitama Backdoor

Updates

• 9/28/2023: Added research sources to blog
• 11/13/2023: Made correction based on updated information. Updated content layout. Added/Updated resources, malware references and APT sources
• 11/17/2023: Added additional sources, research content, and additional links to “What is DNS” section
• 12/2/2023: Added additional commentary for malware sources. Added additional literature for mitigation