HYAS Blog

Harnessing DNS TXT Records for Malware Execution

Written by Dan White | September 20, 2023

Threat actors continue to formulate clever methods to infiltrate systems and compromise digital security. One such sophisticated technique involves the exploitation of DNS TXT (Text) records, a seemingly innocuous component of the Domain Name System (DNS). This blog post explores the mechanics of how threat actors utilize DNS TXT records to contain PowerShell commands and execute malware, shedding light on the technical intricacies and the implications for cybersecurity.

An Overview of DNS TXT Records

To understand this threat, it's important to comprehend the basics of DNS TXT records. These records are a part of the DNS system, which acts as the Internet's address book, translating human-readable domain names into IP addresses that computers can read, or understand. TXT records were originally intended for adding arbitrary text notes to a domain's DNS settings. Over time, however, their versatility has been exploited by threat actors for malicious purposes.

PowerShell is a powerful scripting language built into Windows operating systems. It is legitimate and widely used for system administration tasks. Unfortunately, it has also become a favorite tool for threat actors due to its capabilities for executing complex commands and scripting.

Threat actors have turned DNS TXT records into a covert communication channel and malware delivery mechanism. Here is a simplified breakdown of the steps they take:

1. Crafting the Attack: The threat actor prepares a PowerShell command that serves as a malicious payload. This command could involve downloading additional files, running scripts, or even establishing a connection to a command and control server.

2. Encoding the Command: To obscure the malicious nature of the payload, threat actors encode the PowerShell command using various techniques like Base64 encoding. This encoding makes it more difficult for security solutions to detect the malicious content.

3. Storing the Command in DNS TXT Records: The encoded PowerShell command is inserted into the DNS TXT record associated with a domain controlled by the attacker. This can be a seemingly benign or compromised domain.

4. Triggering the Attack: The infected machine makes a DNS query for the specific domain's TXT record. When the DNS server responds with the encoded PowerShell command, the malicious payload is extracted and executed on the victim's machine.

5. Executing the Malware: Once executed, the PowerShell command can carry out a range of malicious activities, such as downloading and installing malware, stealing sensitive information, or providing remote access to the attacker.

Why DNS TXT Records Are So Enticing

Using DNS TXT records for PowerShell-based malware execution offers several advantages for threat actors, such as:

1. Stealthy Communication: DNS traffic is common and often overlooked, making it an ideal channel for covert communication between malware and the attacker's infrastructure.

2. Evading Traditional Detection: Traditional security solutions may not focus on DNS traffic, allowing malicious commands to pass undetected.

3. Dynamic Payloads: threat actors can change the malicious payload by simply updating the DNS TXT record, allowing for adaptability and evasion.

However, this technique also presents challenges:

1. Limited Payload Size: DNS TXT records have size limitations, constraining the complexity of the payload that can be delivered.

2. Increased Complexity: Implementing this technique requires the hacker to manage the DNS infrastructure and coordinate the timing of the attack.

3. Risk of Detection: While DNS TXT-based attacks can evade some traditional security mechanisms, more advanced threat detection solutions are becoming attuned to these tactics.

Five Defensive Measures to Deploy

Organizations can take several measures to defend against DNS TXT record-based attacks by implementing:

1. DNS Security Solutions: Employ DNS security solutions that can detect and block suspicious DNS traffic patterns.

2. DNS Monitoring: Regularly monitor DNS traffic for anomalies and investigate any unusual queries or responses.

3. DNS Filtering: Implement DNS filtering to block access to known malicious domains and prevent connections to malicious IP addresses.

4. Patch and Update: Keep operating systems, software, and security tools up to date to minimize vulnerabilities that attackers could exploit.

5. Employee Training: Educate employees about the risks of phishing emails and malicious attachments that might trigger these attacks.

The abuse of DNS TXT records to contain PowerShell commands for malware execution exemplifies the ever-evolving tactics employed by threat actors to compromise digital security. By understanding the mechanics of this technique and implementing appropriate defensive measures, individuals and organizations can better protect themselves against these sophisticated cyber threats.

Learn more about DNS

Demystifying the confusion around DNS security

Which Protective DNS provider keeps you safest from malware and other cyberthreats

Book a demo today to find out what HYAS Protective DNS can do for your organization.