Dns Tunneling And In The Wild Attribution
Disclaimer: This post is being actively updated. Updates are tracked at the bottom of this post
Disclaimer: Much of the information is compiled from my learning and online sources. Please be sure to double-check claims and references if you plan to use them.
Table of Contents
What is DNS Tunneling
DNS tunneling is a technique used to evade network security controls. It uses the DNS protocol to allow attackers to hide data in DNS requests or open source tools to allow users to circumvent paid hotel Wi-Fi access control. The DNS protocol defined in RFC 1034 RFC 1035, was established to facilitate the naming of network resources and has since then been used in a wide variety of applications and more recently, protocol abuses. A deeper dive of the DNS system can be found in this Cloudflare blog.
The earliest documented discussion of DNS Tunneling was by Oskar Pearson on the Bugtraq mailing list in April 1998. As the technology has advanced, more advanced DNS Tunneling approaches leverage DoT (DNS-over-TLS) and DoH (DNS over HTTPS) to evade detection and prevention solutions. We will attempt to provide a deeper dive in a later blog post. The proceeding content will provide references to how this technique is used in the wild, tools and malware sources, and researched techniques for detecting and mitigating DNS Tunneling.
Advanced Threats
DNS Tunneling is a technique used by a wide range of APT groups. Arguably the technique is one of the most common methods threat actors use in their attacks as a means to communicate sensitive data or to receive instructions from controlled servers. Information can be found online that characterizes each of these groups and tracking there advancement of their techniques and strategies. In this section, I acknowledge, reference and provide a brief description of groups using the DNS tunneling technique in their toolkits.
Groups
the Cobolt Group,
the Anchor Group,
ShadowPad, APT32 also known as Denis.
A Chinese APT18, also known as Webky, was found using the technique in 2016.
The DarkyHydrus group is documented using Google Drive for C2 Communication which is both interesting and novel. There are many documented zero-days exploitation and exfiltration techniques used by this group. I also want to note attribution tracking for this group is inconsistent based on sources.
APT34, also known as OilRig, is documented using the technique in their 2017 in BONDUPDATER and a 2018 DNSpoinage malware campaign. They improve their toolkit in 2020 when they leveraged an open source tool DNSExfiltrator to exfiltrate data. There are some very interesting write-ups on the techniques leveraged by this threat group, and I have linked them in the closing section for convenience.
Malware
Malware samples that use this technique are referenced in this section. I provided a brief overview of the attack techniques, the hypothetical threat actor and link additional write-ups and analysis to each malware sample. The samples are not discussed in any particular order.
GodLua backdoor, is a Lua-based malware whose named is derived from the language and byte-code usage. The Heyoka Backdoor is attributed to Aoqin Dragon threat group and was initially tracked by SentinelLabs. The backdoor leverages a wide range of techniques to evade detection, including DNS Tunneling and is noted of being deployed in a campaign that spanned 10 years at the time of the write-up. MoustachedBouncer is a cyber espionage group that uses the technique in there NightClub toolkit. The group was revealed by ESET at BlackHat 2023. FIN6 or FrameworkPOS is a family of malware that targets (PoS) point-of-sale devices with the goal of intercepting customer card information.
Mori, the Snake Malware,
The SUNBURST campaign attributed to UNC2452 and APT29,
Snugy found in the xHunt Campaign and WellMess.
Notably, the GodLua backdoor, named by the discovering researchers based on its obfuscation technique and language of choice, connects infected machines to a larger botnet capable of launching DDoS attacks. The malware campaign is documented using DNS tunneling to communicate back to a C2 server.
If you are interested in finding more APT and other groups using covert channels, additional references to attribution can be referenced from MITRE ATT&CK. A deep dive into attacks is provided from a UNIT 42 blog post. Thanks for your interest in this blog. From this point on we will journey deeper into cutting edge defensive mechanisms against DNS tunneling attacks.
Research
To defend against these attacks, there are a couple of strategies used in consumer products. End users can leverage access control lists (ACL) to block known malicious domains, traffic analysis techniques to monitor internal DNS activity or intrusion prevention systems (IPS). These techniques are not new. There are great resources and posts on the topic at Maarten Van Horenbeeck’s blog.
Relevant research that I am interested in takes advantage of new network paradigms such as software defined networking and P4 to introduce in-network approaches for parsing and filtering DNS tunneling traffic. I provide an introduction to those concepts in the post new paradigms for network security.
In this section, we take a survey paper approach to summarize and reference relevant DNS Tunneling research. In order for this work to be complete and relevant, it will be updated regularly until a companion research paper is released.
Technique Gathering and Analysis
Researchers in this paper passively collect and analyze DNS records to identify DNS Tunneling campaigns. This is possible because the researchers collect new DNS Domains over the period of two months and then measure how the newly created domains are used. Some campaigns identified were from APT32, Webky and APT 34. More information on those groups can be found in the advanced threats section. To conduct statistical analysis on DNS traffic, researchers have made extensive efforts to identify features that are unique to DNS Tunneling traffic. This can be in a with how researchers use an algorithmic approach characterize and detect DNS tunneling traffic.
Machine Learning Techniques
Researchers from the University of Brunswich generated the dataset CIC-Bell-DNS-EXF-2021 and demonstrated how machine learning can be leveraged for detection DNS tunneling attacks in their paper. Another group developed DNSxD which focuses on training machine learning algorithms how to detect DNS attacks using specific features of clear text DNS traffic, which includes: Record type, query length, name entropy, volume, frequency per domain, keep-alive and time interval. There work builds on previous work that leverage statistical analysis on specific features in DNS traffic to identify DNS tunneling traffic. This approach enables the researchers to detect data exfiltration over DoH tunnels.
Packet Inspection
References
Included source were not directly linked in the blog posts or are included for future reference
- Iranian hacker group becomes first known APT to weaponize DNS-over-HTTPS (DoH)
- An Analysis of Godlua Backdoor
- DNS Tunneling: how DNS can be (ab)used by malicious actors
- How the APT34 uses Saitama Backdoor for DNS tunneling
- GodLua Presentation
- A Guide to Understanding Covert Channels
- Saitama Backdoor
- UPDoS
Tools and Malware
Updates
- 9/28/2023: Added research sources to blog
- 11/13/2023: Made correction based on updated information. Updated content layout. Added/Updated resources, malware references and APT sources
- 11/17/2023: Added additional sources, research content, and additional links to “What is DNS” section
- 12/2/2023: Added additional commentary for malware sources. Added additional literature for mitigation
- 12/10/2023: Improved readability and added research sources
- 2/26/2024: Large refactor and improvement of post. Added additional references. This post can now be considered complete.
- 6/30/2024: Added research on defense