Hackers exploit a blind spot by hiding malware inside DNS records

Cybercriminals are increasingly hiding malware in a surprising location—domain name system (DNS) records, which link domain names to their numerical IP addresses. This tactic allows them to deliver malicious scripts and early-stage malware without the need for downloads from questionable websites or email attachments, which are often flagged by antivirus programs. The reason this method is effective is that DNS traffic typically goes under the radar of many security measures. While web and email communications are closely monitored, DNS requests represent a significant vulnerability in cybersecurity defenses. Recent research by DomainTools has revealed that hackers have been using this method to host a malicious binary associated with Joke Screenmate, a type of disruptive malware that can interfere with a computer's operations. To evade detection, the malware was converted from binary format to hexadecimal—a compact encoding system using digits and letters. The hexadecimal data was then split into numerous segments, each embedded within the DNS records of various subdomains of whitetreecollective[.]com. Specifically, these segments were included in the TXT records, which are typically used for validating site ownership in services like Google Workspace. Once an attacker gains access to a secured network, they can easily retrieve these segments through seemingly harmless DNS queries. The pieces can then be reassembled and converted back into their original binary form. This technique not only facilitates the delivery of malware but also complicates detection efforts, especially as encrypted DNS protocols, such as DNS over HTTPS (DOH) and DNS over TLS (DOT), become more prevalent.