Hidden in Google’s DNS Over HTTPS

 Today’s technological landscape has led to an explosion of cyber security products and services to automatically detect and deal with threats and malware. How-ever, as more and more emphasis is put on automated systems, attackers have to modify their strategies to combat this. Threat detection and analysis company, Huntress Labs, discovered a piece of malware that hides in plain sight and would likely not be detected by most automatic defenses, requiring a human analysis element.

The malware involves maintaining persistence on a system rather than the initial infection. Once inside the system, the malware creates services that seem to be legitimate, BfeOnService.exe and engine.exe, as well as a log file a.chk. The description also seems to be legitimate: however, these services are actually copies of two other services, mshta.exe and powershell.exe. These programs have not been modified except for the name, so an antivirus program wouldn’t flag them as malware. The name change keeps the processes from being flagged by security programs looking for running instances of mshta and powershell which could indicate a threat presence. They parse the log file, which at first glance seems harmless, to extract a payload used by powershell to connect to https://dns.google.com/resolve?name=dmarc.jqueryupdatejs.com&type=txt and retrieve another payload using Google’s DNS service.

The DNS response is actually a DNS TXT record response that contains further information embedded within it. The data field contains what appears to be a ture, which is used to authenticate e-mails from specific domains. However, it is a cleverly hidden base-64 encoded string that, after multiple layers of decoding, Reveals multiple decimal numbers that don’t appear to be anything but are actually IP addresses. For instance, one of the numbers analyzed was 1484238687, but this translates to when entered in a browser address bar. These are the IP addresses for Command & Control servers hosting further payloads. This allows the attacker to rotate servers used for malware delivery, as well as changing the payloads themselves, without having to directly access the victim. Also, while many organizations filter DNS activity on their network, it is much less likely that they would lock down HTTPS access to google.com.

John Hammond, Senior Security Researcher at Huntress Labs, comments, “We found this malware from our own manual analysis. Obviously, there is an incredible benefit from having an automated, always on antivirus and endpoint protection suite… but this lacks the context that humans have. Manual investigation is a must”. The best defense lies somewhere in the balance between automated and human-controlled security practices.


Peraton CyberIntelligence Program (CIP)