New Threat Intelligence Reveals Misuse of DNS Protocol

New Threat Intelligence Reveals Misuse of DNS Protocol

Over the past 15-plus years, threat actors have developed several interesting and clever techniques for misusing the DNS (Domain Name Service1) protocol. Some of their tricks, like DNS tunneling, gained notoriety for their ability to easily bypass firewalls, and more.

In this article I want to highlight a trend recently uncovered by the Nozomi Networks labs team regarding new misuse of the DNS protocol. This phenomenon is already impacting corporate networks, plus it opens the door to significant threats in the future. We urge security teams to gain an understanding of this new threat intelligence and centrally monitor their networks for traffic related to DNS resolvers susceptible of misuse.

Blockchain-based Domain Name Resolution

Schemes that leverage blockchain technology to map a domain name to IP addresses have been available for a few years. In these implementations, the blockchain acts as a database that stores the actual mapping.

The main difference between this and a regular ICANN-managed DNS domain lies in the fact that no central authority can prevent the registration of a given domain, nor updates to it. By issuing transactions that are included in the blockchain of reference, a user can independently register any available domain or update its status.

We’ve seen how malicious operators attempt to abuse DNS to manage their infrastructure through techniques such as fast-flux and domain generation algorithms. We also know that the technique of choice to counteract a botnet using domain generation algorithms is to compile the full list of domains for a given period of time and share the list with the corresponding registry operators. This creates a centralized way to thwart attempts to register malicious domains.

Namecoin, a blockchain based on Bitcoin, was the first project to popularize the concept of blockchain-based domain name resolution, as early as 2011. In this scenario, the name to IP resolution is stored in a blockchain rather than a DNS zone. A client who wants to know the address of bitcoin.bit, a specific Namecoin domain, is therefore faced with two choices. The first is to download the whole blockchain and keep it up-to-date. The other option is to connect to a special DNS server which knows that the resolution process of some domains, like .bit, should be performed through a different channel than the one used for typical .com domains.

How the OpenNIC Alternative Domain Name Service is Misused

OpenNIC is an interesting DNS community project. Its goal is to provide an alternative name resolution scheme to traditional top-level domain registries. Sadly, as is often the case with pieces of internet infrastructure services that can be misused, there have been instances of malware leveraging OpenNIC to resolve malicious Namecoin domains.

As a result, the part of the infrastructure underpinning OpenNIC ended up in blocklists, with the expected consequences for providers hosting the services. OpenNIC eventually decided to drop support for Namecoin domains in July 2019. Today there’s a similar situation with Emercoin, the blockchain behind the .bazar domain.

Emercoin is conceptually like Namecoin to the malicious operator. That is, domain names can be registered with the same level of anonymity as anybody else issuing transactions that become part of the blockchain.

In the last few months, we’ve seen .bazar domains being used by a piece of malware aptly named Bazar loader / Bazar backdoor. It’s typically deployed in an infection chain that ends with the activation of Ryuk, a ransomware known to be targeting healthcare facilities, amongst others.

The Bazar loader / Bazar backdoor was seen to be relying on OpenNIC to resolve the .bazar domains. Considering how Namecoin was abused, we expect to see some evolution for Emercoin in the near future.

An interesting peculiarity of blockchains is that they’re an append-only data structure. For this reason, any IP associated with a particular domain is always available for examination by security researchers interested in tracking down a specific threat.

 .bazar domains are being exploited
Security teams should take note that .bazar domains are being exploited in infection chains that deploy Ryuk ransomware.

New Threats Are Using DNS over HTTPS

DNS over HTTPS (DoH), is a recently-introduced protocol that resolves domain names over HTTPS, instead of using the typical udp/tcp port 53-based scheme. Since its introduction, DoH has sparked some controversy. This blog isn’t intended to explain the rationale behind these positions, but rather to highlight the usage of the protocol by malicious operators.

DoH clearly requires both a compliant client and a server. Some of the major browsers have been implementing the client part of the protocol since its very beginning as a draft. The most popular public resolvers in use today are those provided by Cloudflare and Google. Notably, in February, Firefox started shipping with DoH switched on by default for all users based in the U.S., with Cloudflare set as the default resolver.

The practical effect of DoH is that the payload of a DNS resolution is encapsulated within a TLS session established between a client and a resolver, therefore hiding its content to a passive network observer.

Security researchers at Huntress Labs recently noticed a piece of malware abusing DoH to retrieve the IP of further hosts belonging to malicious infrastructure. The TXT resource record was crafted to mimic a real DKIM record, but contained encoded IP addresses instead. In this case, if we isolate the resolution process at the network level, what emerges is a TLS connection between the malware and Google public resolver, although by considering the comprehensive behaviour of the threat, several other anomalies will stand out.

DoH has the potential to break an assumption that’s taken for granted in several environments, namely transparently inspecting all DNS traffic traversing a network.

Security teams should carefully evaluate this possibility ahead of time and plan accordingly.

Resolution of a malicious TXT DKIM record
Shown above is the resolution of a malicious TXT DKIM record through the Google public resolver web interface.

Monitor Unconventional DNS Usage to Protect Your Networks

As shown above, malware developers are experimenting with novel techniques to hide their activities, often piggybacking on new technologies that could give them the upper hand in the short term. Given this reality, it’s critical for security teams to leverage technologies that centrally inspect DNS traffic. If communications related to resolvers susceptible to misuse (such as Emercoin or DoH) are detected, alerts should be raised and defensive action taken.

Needless to say, a healthy network requires ongoing monitoring using the latest threat intelligence – make sure yours does.

1 DNS, or Domain Name Service, is an application that translates URLs into IP addresses, in effect, the “phone book” of the internet.