Malware in DNS

Recent reports of hiding images in DNS records inspired an exploration for such files in the wild from passively collected DNS records available in DNSDB Scout. Put very simply, files can be partitioned and stored in DNS TXT records. They can then be retrieved via DNS requests and put back together. This also means these files may persist until the DNS server removes the records or overwrites them thereby providing a form of unwitting file or data storage. The initial report detailed the partitioning of image files and converting them to hexadecimal before issuing writes to a domain’s TXT records. For that reason, we began a search at the beginning of DNS RDATA TXT records for magic file bytes in hexadecimal format for a wide range of executables and common file types using regex patterns such as the following:

^”((ffd8ffe[0-9a-f].{12,})|(89504e47.{12,})|(47494638[79]61.{8,})|(255044462d.{10,})|(504b0304.{12,})|(4d5a.{16,59}|4d5a.{61,})|(7f454c46.{12,})|(c[ef]faedfe.{12,})|(1f8b08.{14,})|(377abcaf271c.{8,})|(526172211a07.{8,}))

One of the findings from 2021-2022 were TXT records beginning with the magic sequence for an executable file header.

C83464356139303030303330303030303030343030303030306666666630303030623830303030303030303030303030303430303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030306538303030303030306531666261306530306234303963643231623830313463636432313534363836393733323037303732366636373732363136643230363336313665366536663734323036323635

The same .exe header value was seen on 3 different domains, each sharing the same subdomain pattern. 

Digging into one of the domains, “*.felix.stf.whitetreecollective[.]com.”, we see that it has several hundreds of iterated subdomain integer values each with different TXT RDATA values. This suggested that they were fragmenting the .exe file across all the subdomains using the integer value to track the correct sequence.

By exporting the json of the domain TXT records and having a Generative AI throw a script together to piece the file back together in the correct order, we were able to observe the SHA256 file hashes of the files stored in DNS TXT records:

• 7ff0ecf2953b8662ede1577e330a514f09992c18aa3c14ed77cf2ffc115b0866
• e7b22ba761a7f853b63933ffe517cc61596710dbdee992a429ac1bc8d04186a1

Both files appear to be Joke Screenmate malware. These are a form of prank software and may commonly exhibit the following behaviors once run on machines:

• Simulating destructive actions: The program might display fake error messages, fictitious virus warnings, or animations that mimic the deletion of system files, causing panic for the user.
• Interfering with user control: Some screenmates are designed to be difficult to close, may multiply on the screen, or actively evade the user’s mouse cursor.
• Displaying unsolicited content: These programs can present a continuous stream of jokes, images, or animations that can be distracting and difficult to stop.
• System performance issues: Like any running application, they consume system resources, and poorly coded screenmates can lead to system slowdowns or crashes.

A brief review of other TXT records for the 3 domains opened another line of inquiry, malicious commands stored in TXT records. This was seen with multiple TXT records associated to drsmitty[.]com such as the following subdomain’s TXT record: 15392.484f5fa5d2.dnsm.in.drsmitty[.]com.

The command contains an encoded Powershell script that acts as a stager and connects to another domain: cspg[.]pw. The URL it requests (/api/v1/nps/payload/stage1) is the default endpoint for a Covenant C2 server to serve its next-stage payload.

Being that the malicious stager script is stored in a DNS TXT record is not by itself enough, some other action would have to take place first on a system to retrieve and execute the script such as the following:

In summary, in 2021-2022 a malicious actor was using DNS TXT records to store and possibly deliver ScreenMate malware and stagers for likely Covenant C2 malware infections. The same C2 domain was seen in another domain’s TXT record in July 2017, msg1.rickrick.qa.urab[.]org.