How Threat Actors Are Using ScareCrow to Bypass EDR Tools
As technology progresses, defensive as well as offensive measures for security constantly evolve. Security researchers consistently find new ways to exploit...
UltraViolet Cyber
In a constantly evolving digital landscape, adversaries are continuously devising new tactics and techniques to bypass security measures and compromise victim networks. A known documented method threat actors have been observed leveraging is DNS tunneling to establish stealthy and resilient communication channels, facilitating malicious activities such as data exfiltration to a C2 server. A recent case study performed by Palo Alto Unit 42 revealed that threat actors have now begun leveraging DNS tunnelling in the initial phases of an attack for scanning campaign efficiency and tracking a victim’s network. This data is based upon three distinct DNS tunneling campaigns which utilize unique methods to gather intel while still evading detection. (Wang et al., 2024i)
Leveraging DNS tunneling can be effective against a target network due to its ability to exploit the inherent trust and ubiquity of DNS traffic, evade traditional security measures, and blend in with legitimate traffic to operate stealthily. Data gathered by PA Unit 42 provides further insight on how threat actors are now utilizing DNS tunneling to scan network infrastructure and track victim activities, helpful in facilitating attacks. One identified campaign nicknamed
“TrkCdn,” focuses on tracking victim interactions with phishing email content. According to Unit 42, this campaign targeted 731 potential victims using 75 IP addresses for nameservers and resolving 658 attacker-controlled domains. Through encoded subdomains, threat actors monitor when targets open phishing emails, enabling them to refine their strategies and deliver malicious payloads effectively. "In this application of DNS tunneling, an attacker's malware embeds information on a specific user and that user's actions into a unique subdomain of a DNS query," the researchers explained. "This subdomain is the tunneling payload, and the DNS query for the FQDN (Fully Qualified Domain Name) uses an attacker-controlled domain".1 For tracking purposes, attackers can then query DNS logs from their authoritative nameservers and compare the payload with the hash values of the email addresses to monitor campaign performance. Similarly, a campaign nicknamed "SpamTracker” utilizes a tracking mechanism
in a comparable manner to “TrkCdn” by leveraging DNS tunneling to track spam delivery. The intent being to lure victims to click on the links behind which threat actors have concealed their payload in the subdomains.
The final campaign identified as “SecShow”, utilizes DNS tunneling to perform reconnaissance on a network infrastructure. By embedding IP addresses and timestamps into DNS queries, adversaries can map network configurations and identify exploitable weaknesses. This campaign generally targets open resolvers thus victims mainly come from education, high tech and government fields, where open resolvers are commonly found. This can be useful for threat actors in the initial phases of an attack as they can acquire useful information about the network while remaining undetected. Adversaries within this specific campaign typically perform reflective attacks which is a technique that leverages DNS to spoof source IP addresses and send forged queries to DNS servers. This technique allows them to identify vulnerabilities and can be the first step for DNS spoofing, DNS cache poisoning or DNS amplification attacks.
[1] Liu, S. W., Ruian Duan, Daiping. (2024, May 13). Leveraging DNS Tunneling for Tracking and Scanning.
Unit 42. https://unit42.paloaltonetworks.com/three-dns-tunneling-campaigns/?web_view=true
Muncaster, P. (2024, May 14). Hackers Use DNS Tunneling to Scan and Track. Infosecurity Magazine.
https://www.infosecurity-magazine.com/news/dns-tunneling-scan-track-victims/
Application Layer Protocol: DNS, Sub-technique T1071.004 - Enterprise | MITRE ATT&CK®. (n.d.).
Attack.mitre.org. https://attack.mitre.org/techniques/T1071/004/
We’re here to help. Get in touch for an initial conversation with one of our security experts and learn more about how UltraViolet Cyber can help you take cyber readiness and resilience to new levels.