Malware Authors Turn to DNS Protocol as a Covert Channel

Malware authors are using a new technique to keep their communications covert and evade detection: abusing the DNS protocol. According to Fidelis Security, DNS command and control (C&C) and DNS exfiltration can be successful because DNS is an integral part of the internet's infrastructure. Most traffic analyzers don’t look at how the DNS protocol itself is being used, which provides an opportunity for a victim machine to communicate with the bad actor’s C&C server, often without even creating a continuous connection between the two. It’s not just theoretical either: Some malware is already using DNS in such ways, including the WTimeRAT and the Ismdoor Trojan, which was linked to the Shamoon campaign.