This article reviews four previously undisclosed domain name system (DNS) tunneling campaigns that occurred in recent months. We identified these new campaigns through our recently deployed campaign monitoring system, which can identify new, potentially malicious campaigns from daily tunneling detection.
DNS tunneling is a technique threat actors use to encode non-DNS traffic data within DNS packet traffic. This allows the information to bypass traditional network firewalls and establish covert communication channels for data exfiltration and infiltration.
Our new campaign monitoring system is designed to detect tunneling domains based on the techniques and attributes commonly used in malicious campaigns. These unique intercorrelations among individual tunneling campaigns can reveal new tunneling domains.
For example, can attackers connect a new domain to any existing well-documented tunneling campaign? Do a couple of recently detected tunneling domains originate from an undisclosed campaign?
Hence, instead of investigating the tunneling domains individually, we seek to analyze these domains from the perspective of common attributes and quickly uncover new campaigns.
We have deployed this tunneling campaign monitoring system in our Advanced DNS Security service. This system allows organizations to secure their DNS traffic by identifying and blocking new potential campaigns from tunneling domains. It also provides detailed campaign information for customers who can log in to our Test A Site service.
Palo Alto Networks Next-Generation Firewall customers can access the tunneling campaign information with the Advanced DNS Security subscription and receive protections against malicious indicators (domains and IP addresses) mentioned in this article via Advanced URL Filtering. The Advanced WildFire machine-learning models and analysis techniques have been reviewed and updated in light of the IoCs shared in this research.
The Next-Generation Firewall with the Advanced Threat Prevention security subscription can help block the attacks with best practices by identifying the corresponding malware samples and command and control (C2) traffic.
Palo Alto Networks Cortex Analytics customers receive protection against DNS tunneling techniques mentioned in this article via the DNS tunneling analytics detector.
Cortex also helps protect against malware from the Hiloti family and others through features such as prevention for shellcode injection.
If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.
Related Unit 42 Topics | DNS, C2 |
DNS is a critical component of the internet infrastructure responsible for translating human-readable domain names into IP addresses. Many organizations leave UDP and TCP port 53 open in their firewalls, which is the port DNS uses for communication. They also often leave this port unmonitored, making it an attractive target for attackers to use as a covert communications channel.
DNS tunneling leverages the DNS protocol to encode data within DNS queries and responses. Therefore, cyberattackers tend to use DNS tunneling for data exfiltration, command and control (C2), or bypassing security measures.
Figure 1 illustrates an example of covert communications using DNS tunneling techniques.
Attackers first infect a client system with malware that is able to steal the user’s data. Then, the stolen data is encoded and embedded within subdomains and is transmitted over DNS queries. The attackers can receive and decode the data by hosting an authoritative DNS (aDNS) server of the root domain (e.g., helloworld[.]com in Figure 1).
DNS tunneling can achieve stealthiness because the recursive DNS servers enable indirect communications between client systems and attacker-controlled authoritative DNS servers. Attackers are also able to transmit commands by encoding data into DNS responses.
Malicious actors also abuse DNS tunneling in attack campaigns. For example, the Iranian threat group Evasive Serpens (aka OilRig) employed DNS tunneling to communicate between infected hosts and their C2 servers, targeting critical infrastructure in the Middle East. Another Iranian threat group we track as Obscure Serpens (aka DarkHydrus) also used DNS tunneling when it targeted government agencies and educational institutions in the Middle East in 2016.
The detection of DNS tunneling has typically focused on the attributes of individual domains, such as lexical or infrastructure patterns. However, defenders often overlook additional attributes.
For example, correlations between tunneling domains can help us monitor significant clusters for tunneling detection and discover emerging campaigns. In this article, we reveal common attributes shared within individual campaigns that could facilitate automated detection of new DNS tunneling campaigns.
Based on these attributes, we have designed and deployed the first campaign monitoring system in our products. This system aims to automatically determine if a couple of historically detected tunneling domains originate from an undisclosed campaign, or if a new tunneling domain belongs to any existing well-documented campaign.
This section presents methods that can identify new tunneling campaigns from daily tunneling detection results. Our detection relies on the fact that domains used in each individual tunneling campaign typically exhibit similar attributes because the same malicious actors registered the domains, or the campaigns used the same tunneling methods.
We discuss the common attributes we identified within each tunneling campaign. To the best of our knowledge, these distinctive intercorrelations among tunneling campaigns have not been fully studied previously.
The following attributes relate to infrastructure, configurations, lexical patterns and targets that could be shared across the tunneling domains in each campaign:
Based on the above criteria, we used machine learning techniques to explore the potential new campaigns among the detected tunneling domains.
By focusing on the correlations between DNS tunneling domains, we detected four previously undiscovered campaigns. Each campaign shares some attributes from infrastructure, payloads, domain registration or targeted victims. We show the detailed case studies on these campaigns in this section.
The first campaign contains 12 domains that use a customized DNS beaconing format for Cobalt Strike C2 communications. While Cobalt Strike has a default configuration for DNS C2 communications through a malleable C2 profile, this campaign leverages a customized format.
In this format, the associated DNS queries use three-letter prefixes (e.g., xds) to indicate the function of the queries used in this tunneling traffic. This campaign targets the finance and healthcare industries, thus we named it FinHealthXDS.
By analyzing the passive DNS records, we discovered this customized Cobalt Strike DNS beaconing format. This campaign uses the xds prefix to indicate command request queries and resolves to 40.112.72[.]205 as the IP address.
After obtaining the returned IP address such as 40.112.72[.]62, malware will calculate the XOR value of the last byte to determine the returned command. For example, 205 XOR 62 = 243, which typically indicates transferring data with TXT records (mode dns-txt command).
Below, we find two examples of DNS A record queries for transferring subsequent data using TXT records.
This campaign can use either A records or TXT records for an infected host to receive data. When using A records, the DNS queries follow a format with a customized prefix of pro (compared to the default value of cdn when using malleable C2 profiles for DNS beaconing in Cobalt Strike).
pro.[hex-counter][8-digit-hex-random-number].[beacon-id].[subdomain-padding].<rootdom> A [hex-infiltration-data]
When using TXT records for data infiltration, the DNS queries use the prefix snd instead of the default api prefix used in the malleable C2 for DNS beaconing in Cobalt Strike. An example of the format is shown below.
snd.[hex-counter][8-digit-hex-random-number].[beacon-id].[subdomain-padding].<rootdom> TXT [infiltration-data]
To exfiltrate data to a C2 server, the DNS queries leverage two prefixes (i.e., txt for short messages and del for long messages, not the default prefix of post). The format is as follows.
[txt|del].[num-of-message][encoded-message].[counter][random-number].[beacon-id].[subdomain-padding].<rootdom> A 40.112.72[.]205
Table 1 shows six domains in this campaign. It also shows the query samples, nameservers and nameserver IP addresses.
Domain | Query Sample | Nameserver Domains |
Nameserver IP Addresses |
foxxbank[.]com | txt.1f0522f1e.3074aa20643.62c1b4ba.novel.foxxbank[.]com | ns1.foxxbank[.]com
ns2.foxxbank[.]com |
191.252.140[.]94
191.252.140[.]80 |
lifemedicalplus[.]net | del.1214999ab.36f446b3e.4c820ef2.dns0.lifemedicalplus[.]net | salad.liveritehealthcare[.]com | 52.90.87[.]208 |
codeaddon[.]net | txt.1a74140ad.4f2fa129ed.1ab3dfba.dns11.codeaddon[.]net | content.codeaddon[.]net
gateway.codeaddon[.]net jobs.codeaddon[.]net |
188.114.96[.]3
44.197.246[.]120 3.89.115[.]116 |
healthproreview[.]com | xds.db6bee2.thing.healthproreview[.]com | pitch.healthproreview[.]com | 54.242.65[.]191 |
familiesandfinance[.]com | del.17b48a6a3831f07076b2d81677d87ad5d93df75b7.142fb5314.250feff6.hunt.familiesandfinance[.]com | chance.familiesandfinance[.]com | 18.116.41[.]255 |
soupandselfcare[].com | pro.b4ed82f96.2c3e46fa.brain.soupandselfcare[.]com | initiative.soupandselfcare[.]com | 54.166.97[.]9 |
Table 1. The domain, query sample, nameservers and nameserver IP addresses in the campaign FinHealthXDS.
The second tunneling campaign contains over 100 domains, all of which share the same nameserver IP address of 185.161.248[.]253 from Russia. Most domains in this campaign end with the TLD .site, while only a very few of these domains use .website. Therefore, based on the aDNS IP address and the TLD patterns, we named this campaign RussianSite.
The subdomain contains two parts: a 5-character alphanumeric payload and a 1-letter or 2-letter padding that is specific in each domain. The A records of these campaign domains are distributed worldwide. However, to receive tunneling information from aDNS servers, configuring a valid aDNS IP address is mandatory for attackers, while A records are discretionary and could be invalid.
In Table 2 we listed examples of the domains, along with a query sample, nameservers and nameserver IP address. We have obfuscated the listed FQDN queries so no customer data is revealed.
We observed this campaign targeting 10 organizations from higher education. Of these 10 targets, five are governments and public infrastructure, four are medical/health institutions and one is a public accounting firm.
Domain | Query Sample | Nameserver Domains | Nameserver IP Address |
pretorya[.]site | h3t5b.g.pretorya[.]site | ns1.g.pretorya[.]site
ns2.g.pretorya[.]site |
185.161.248[.]253 |
zzczloh[.]site | ptqo1.p.zzczloh[.]site | ns1.p.zzczloh[.]site
ns2.p.zzczloh[.]site |
185.161.248[.]253 |
mouvobo[.]site | jpdqo.n.mouvobo[.]site | ns1.n.mouvobo[.]site
ns2.n.mouvobo[.]site |
185.161.248[.]253 |
mponiem[.]site | 6nesl.v.mponiem[.]site | ns1.v.mponiem[.]site
ns2.v.mponiem[.]site |
185.161.248[.]253 |
linkwide[.]site | g49wo.y.linkwide[.]site | ns1.y.linkwide[.]site
ns2.y.linkwide[.]site |
185.161.248[.]253 |
dtodcart[.]site | lv1bi.f.dtodcart[.]site | ns1.f.dtodcart[.]site
ns2.f.dtodcart[.]site |
185.161.248[.]253 |
Table 2. The domain, query sample, nameservers, nameserver IP address in the campaign RussianSite.
The third tunneling campaign contains six domains that share the same DNS configurations and aDNS server IP address of 35.205.61[.]67. A special pattern of this campaign is that each domain has 8 NS records. Therefore, we named this campaign 8NS.
However, instead of keeping redundancy of nameservers, all the NS records (i.e., ns[1-8].<rootdom>) have the same A record of 35.205.61[.]67.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
<rootdom> NS ns1.<rootdom> <rootdom> NS ns2.<rootdom> <rootdom> NS ns3.<rootdom> <rootdom> NS ns4.<rootdom> <rootdom> NS ns5.<rootdom> <rootdom> NS ns6.<rootdom> <rootdom> NS ns7.<rootdom> <rootdom> NS ns8.<rootdom> ns[1-8].<rootdom> A 35.205.61[.]67 <rootdom> A 35.205.61[.]67 |
Meanwhile, the A record of the root domain is the same as the aDNS server IP address. That indicates the nameserver may be self-built, which is usually a premise for DNS tunneling. Below, Figure 2 shows a visual mapping of the 8NS campaign.
This campaign is driven by multiple Trojans. For example, malware from the Hiloti family 0b99db286f3708fedf7e2bb8f24df1af13811fe46b017b6c3e7e002852479430, can contact the domain 011807dd0303[.]lantzel[.]com.
This Hiloti sample secretly downloads malicious files from a remote server and then injects the unpacked malware into explore[.]exe. The malware creates three registry entries under HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Bfetipi or HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Bfetipi, which a C2 domain generation algorithm uses to send client online messages to the C2 server through DNS queries, as depicted in Figure 3.
The generated domains are based on the information of infected systems, with a format such as the following:
0018786966.96428380.04.5E43287B03114C04A64F68C0C23E44F4.n.156.887.empty.6_1._t_i.3000.explorer_exe.156.rc2.a4h9uploading[.]com.
Let’s break down the encoding of each component from the above example:
After sending a client online message, the malware starts C2 communication with the domain lantzel[.]com, which Figure 4 shows being decrypted during execution.
We illustrate these six domains in the campaign 8NS, along with the query sample, nameservers and nameserver IP address in Table 3.
Domain | Query Sample | Nameserver Domains | Nameserver IP Address |
lantzel[.]com | 080317e70613.lantzel[.]com | ns1.lantzel[.]com
ns2.lantzel[.]com ns3.lantzel[.]com ns4.lantzel[.]com ns5.lantzel[.]com ns6.lantzel[.]com ns7.lantzel[.]com ns8.lantzel[.]com |
35.205.61[.]67 |
unbeatableprice[.]us | 029cd612cc2d9b9858aossoapcngb.unbeatableprice[.]us | ns1.unbeatableprice[.]us
ns2.unbeatableprice[.]us ns3.unbeatableprice[.]us ns4.unbeatableprice[.]us ns5.unbeatableprice[.]us ns6.unbeatableprice[.]us ns7.unbeatableprice[.]us ns8.unbeatableprice[.]us |
35.205.61[.]67 |
sosua[.]cz | 0545326b975e.1400world.sosua[.]cz | ns1.sosua[.]cz
ns2.sosua[.]cz ns3.sosua[.]cz ns4.sosua[.]cz ns5.sosua[.]cz ns6.sosua[.]cz ns7.sosua[.]cz ns8.sosua[.]cz |
35.205.61[.]67 |
ns2000wip[.]com | fkdmw402.ns2000wip[.]com | ns1.ns2000wip[.]com
ns2.ns2000wip[.]com ns3.ns2000wip[.]com ns4.ns2000wip[.]com ns5.ns2000wip[.]com ns6.ns2000wip[.]com ns7.ns2000wip[.]com ns8.ns2000wip[.]com |
35.205.61[.]67 |
dreyzek[.]com | srv881.dreyzek[.]com | ns1.dreyzek[.]com
ns2.dreyzek[.]com ns3.dreyzek[.]com ns4.dreyzek[.]com ns5.dreyzek[.]com ns6.dreyzek[.]com ns7.dreyzek[.]com ns8.dreyzek[.]com |
35.205.61[.]67 |
avtomaty-bcg[.]online | 001-zr6yarm4qwk4weuw.0zyywvutsrqp.avtomaty-bcg[.]online | ns1.avtomaty-bcg[.]online
ns2.avtomaty-bcg[.]online ns3.avtomaty-bcg[.]online ns4.avtomaty-bcg[.]online ns5.avtomaty-bcg[.]online ns6.avtomaty-bcg[.]online ns7.avtomaty-bcg[.]online ns8.avtomaty-bcg[.]online |
35.205.61[.]67 |
Table 3. The domain, query sample, nameservers and nameserver IP address in the campaign 8NS.
The fourth campaign contains over 50 domains. All domains are named by combining three words with the last word of finder (e.g., unlimitedpartnersfinder[.]com). The subdomains are composed of multiple similar segments, each of which contains a prefix ns500 and a number. Based on the root domain and subdomain patterns, we named this campaign NSfinder.
NSfinder is related to multiple malicious IP addresses, mainly from Europe. Each domain typically uses three IP addresses each time for both aDNS IP addresses and resolved IP addresses.
The IP addresses used by different domains have high overlapping. Also, we observe that attackers periodically change the IP address set for each domain, and the time to live (TTL) is only 60 seconds.
NSfinder performs attacks by setting up adult websites, and it lures victims to enter their credit card information. This campaign also correlates with multiple Trojans, such as IcedID.
For example, attackers frequently used the nameserver IP address 206.188.197[.]111 in the campaign to communicate with a malware sample with the SHA256 hash dfb3e5f557a17c8cdebdb5b371cf38c5a7ab491b2aeaad6b4e76459a05b44f28, identified as IcedID by different sources in VirusTotal. The nameserver IP address 185.81.114[.]183 communicated with the malware c22d25107e48962b162c935a712240c0a4486b38891855f0e53d5eb972406782, identified as RedLine stealer.
We observed this campaign having massive traffic within one month in 2023. The ns500 tokens have over a hundred variants, where the top tokens follow the distribution of English letters. We observed thousands of victims related to this campaign, mainly coming from high tech, education and manufacturing fields.
In Table 4, we list six domain examples with their query sample, nameservers and nameserver IP addresses.
Domain | Query Sample | Nameserver Domains | Nameserver IP Addresses |
yummyflingsfinder[.]com | ns500505.ns500528.ns500505.ns500458.ns500528.ns500528.ns500528.ns500488.ns500488.ns500505.ns500476.ns500476.ns500440.ns500227.ns500209.yummyflingsfinder[.]com | ns500583.yummyflingsfinder[.]com
ns500599.yummyflingsfinder[.]com ns500631.yummyflingsfinder[.]com |
185.81.114[.]183
185.176.220[.]212 88.119.169[.]205 |
piquantchicksfinder[.]com | ns500458.ns500458.ns500505.ns500528.ns500528.ns500528.ns500458.ns500488.ns500505.ns500458.ns500476.ns500476.ns500488.ns500488.ns500440.ns500227.ns500209.piquantchicksfinder[.]com | ns500583.piquantchicksfinder[.]com
ns500599.piquantchicksfinder[.]com ns500631.piquantchicksfinder[.]com |
185.81.114[.]183
185.176.220[.]212 88.119.169[.]205 |
yummyloversfinder[.]com | ns500528.ns500458.ns500528.ns500505.ns500505.ns500505.ns500488.ns500505.ns500476.ns500458.ns500458.ns500458.ns500440.ns500288.ns500209.yummyloversfinder[.]com | ns500505.yummyloversfinder[.]com
ns500488.yummyloversfinder[.]com ns500458.yummyloversfinder[.]com |
206.188.197[.]111
23.95.170[.]183 185.176.220[.]80 |
unlimitedpartnersfinder[.]com | ns500505.ns500528.ns500505.ns500458.ns500505.ns500505.ns500505.ns500528.ns500528.ns500505.ns500476.ns500488.ns500488.ns500488.ns500488.ns500227.ns500209.unlimitedpartnersfinder[.]com | ns500575.unlimitedpartnersfinder[.]com
ns500618.unlimitedpartnersfinder[.]com ns500635.unlimitedpartnersfinder[.]com |
5.149.255[.]21
141.94.37[.]182 193.142.59[.]198 |
lustypartnersfinder[.]com | ns500414.ns500414.ns500414.ns500502.ns500414.ns500502.ns500485.ns500485.ns500511.ns500485.ns500502.ns500479.ns500414.ns500414.ns500478.ns500268.ns500168.lustypartnersfinder[.]com | ns500313.lustypartnersfinder[.]com
ns500540.lustypartnersfinder[.]com ns500634.lustypartnersfinder[.]com |
188.119.148[.]82
109.205.214[.]13 51.89.16[.]177 |
juicyplaymatesfinder[.]com | ns500501.ns500501.ns500291.ns500501.ns500525.ns500525.ns500525.ns500501.ns500292.ns500213.ns500213.ns500213.ns500291.ns500225.ns500197.juicyplaymatesfinder[.]com | ns500291.juicyplaymatesfinder[.]com
ns500585.juicyplaymatesfinder[.]com ns500643.juicyplaymatesfinder[.]com |
185.176.220[.]151
79.141.165[.]176 51.83.172[.]83 |
Table 4. The domain, query sample, nameservers and nameserver IP addresses in the campaign NSfinder.
The domains within each tunneling campaign share some common attributes, such as the following:
These attributes enable us to identify significant clusters among the tunneling detection results so that we can discover the emerging tunneling campaigns.
This method of detection has revealed four new campaigns that we have described in this article and have named:
We have implemented these techniques as a new campaign monitoring system into our Advanced DNS Security service, providing campaign information and descriptions to our customers. With this system, we have detected four new campaigns from daily tunneling detection results.
The Next-Generation Firewall with the Advanced Threat Prevention security subscription can help block the attacks with best practices via the following Threat Prevention signature: 13033.
Customers can also receive protections against malicious indicators (domains, IP addresses) mentioned in this article via Advanced URL Filtering.
The Advanced WildFire machine-learning models and analysis techniques have been reviewed and updated in light of the IoCs shared in this research.
Palo Alto Networks Cortex Analytics customers receive protection against DNS tunneling techniques mentioned in this article via the DNS tunneling analytics detector.
Cortex also helps protect against malware from the Hiloti family and others through features such as prevention for shellcode injection.
If you think you might have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:
Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.