Cybercriminals are using increasingly ingenious methods to evade detection. A recent example shows how the domain name system (DNS), which was originally intended to link domain names to IP addresses, is being used as an unusual storage medium for malware.
By packaging malware into small pieces and hiding them in DNS TXT records, attackers can store and retrieve files through a channel that often falls outside the view of traditional security.
Researchers at DomainTools reported Tuesday that they recently discovered the trick used to host a malicious binary file for Joke Screenmate, a form of nuisance malware that disrupts the normal and secure functions of a computer. Its behavior ranges from fake warnings and visual disruptions to serious system slowdowns.
Simple but effective method
The underlying mechanism is technically simple but effective, Ars Technica explains . The malware file is first converted to a hexadecimal representation, which is then split into pieces and stored in the TXT records of various subdomains. These records can be retrieved via regular DNS requests, reassembled, and converted back to the original binary file. Because DNS traffic is rarely analyzed thoroughly by security solutions, such operations often go unnoticed.
The situation is further complicated by the emergence of encrypted DNS requests via DOH (DNS over HTTPS) and DOT (DNS over TLS). These techniques encrypt DNS traffic to the resolver, providing network administrators and security tools with limited visibility into the content of the requests. According to Ian Campbell of DomainTools, even organizations with their own DNS resolvers may struggle to distinguish between legitimate and suspicious requests.
Multiple applications
The researchers also encountered other applications of this method. In another domain, they found PowerShell scripts that serve as stagers for further malware, presumably for use in a Covenant C2 command structure. These types of stagers retrieve their payload from other domains and only become active after a local process executes the script. This was also stored and distributed via TXT records.
A notable finding was the use of DNS records for so-called prompt injections targeting AI chatbots. By embedding predetermined instructions as text in DNS records, attackers can manipulate the behavior of systems that analyze this text. Examples of these injections range from commands to delete data to instructing models to exhibit completely different behavior.
The case highlights that DNS is no longer a purely functional protocol, but a potentially risky vector for data theft, malware distribution, and manipulation. As long as monitoring of DNS traffic lags behind, this blind spot will remain attractive to cybercriminals.