Researchers discovered a new DNS tunneling technique used by the latest variant of Zloader, a notorious malware family, which allows Zloader to establish covert communication channels with its command and control server (C2) by encapsulating encrypted network traffic within DNS requests.
Zloader’s configuration file now includes two new sections dedicated to DNS tunneling functionality, where the first section, named “fordns,” for instance, specifies an HTTPS URL that is used during the Transport Layer Security (TLS) handshake process.
This handshake is crucial for establishing a secure connection between Zloader and the C2 server, and the URL is followed by the hostname of the C2 server, such as “ns1.brownswer.com.”
The second section lists a set of preferred IP addresses for resolving the C2 nameserver, which are likely chosen by the attackers to ensure redundancy and increase the likelihood of successful communication.
To initiate communication, Zloader retrieves a value from a designated section within its internal data, where this value acts as a unique identifier for the infected machine, similar to a bot identifier.
It proceeds with DNS tunneling only if the retrieved value matches an expected hash value stored in its configuration. If there’s a mismatch, Zloader terminates the process, potentially to avoid connecting to unauthorized C2 servers or to thwart debugging attempts.
Once the initial checks are passed, Zloader utilizes a custom protocol to encode communication data within DNS records, which defines a specific format for encapsulating data within the resource records of a DNS response.
For the purpose of tunneling, Zloader is able to make use of both DNS A records, which are responsible for mapping hostnames to IP addresses, and DNS AAAA records, which are responsible for mapping hostnames to IPv6 addresses.
By cleverly hiding its traffic within these seemingly legitimate DNS queries, it can bypass traditional security measures that focus on identifying malicious content based on network traffic patterns, which allows Zloader to establish a bidirectional communication channel with the C2 server.
The C2 server can send commands and receive stolen data from the compromised system through DNS responses, enabling Zloader to maintain persistence on infected machines and fulfill its malicious objectives.
According to Zscaler, Zloader, a persistent threat, has evolved to evade detection by leveraging DNS tunneling for communication, which, coupled with new features, makes it a potent tool for initial access and subsequent ransomware attacks.
In order to reduce the risks that Zloader poses, organizations need to strengthen their security measures and conduct monitoring of both web traffic and DNS traffic.
