OilRig delivered Trojans that use DNS tunneling for command and control in attacks since at least May 2016. Not only will this blog discuss the structure of the queries and the responses, but it will also show these protocols in action with screenshots of Wireshark displaying how the tunnels would look within a packet capture. Each of these tools use DNS queries and the answers to these queries to communicate back and forth with its C2 server. This blog will dive deep into the DNS tunneling protocols used by OilRig’s tools Helminth, ISMAgent, ALMACommunicator, BONDUPDATER, and QUADAGENT. All of the DNS tunneling protocols will generate a significant number of DNS queries.Depending on the tool, A, AAAA, and TXT query types have been used by OilRig for tunneling.Data upload includes a sequence number that allows the C2 to reconstruct the uploaded data in the correct order.Most rely on hardcoded IP addresses within the DNS answers to start and stop data transfer.Most rely on an initial handshake to obtain a unique system identifier.All subdomains contain a randomly generated value to avoid the DNS query resulting in a cached response.A high-level analysis of the tunneling protocols used by these tools suggests: The repeated use of DNS tunneling clearly represents one of their preferred communication methods therefore, we chose to publish an overview of OilRig’s tools that use various DNS tunneling protocols.
We have been covering the various tools OilRig uses in their operations, many of which rely on DNS tunneling to communicate between infected hosts and their command and control (C2) server. Unit 42 has been tracking the OilRig threat group since early 2016, which has resulted in over a dozen blogs describing various attacks carried out by this adversary.
To supplement this blog, we have decided to describe a collection of tools that rely on DNS tunneling used by an adversary known as OilRig. On March 15, Unit 42 published a blog providing an overview of DNS tunneling and how malware can use DNS queries and answers to act as a command and control channel.
0 kommentar(er)
