Cyber Criminals Start to use DNS TXT Records to Control Remote Access Trojans

Trojans are one of the most annoying types of malware to deal with these days. Not only can Trojans infect computer systems and cause programs to stop working, but once a Trojan is installed, hackers can also distribute backdoor access tools. In most cases, criminals use Trojans to infiltrate computer systems and networks. A new malware sample goes to show hackers now use DNS TXT records for Trojan communication.

Controlling Trojans In A Different Manner

One of the things people tend to forget is how criminals have to keep control over their Trojans at any given time. Rather than relying on a command and control server which can be shut down by the government at any given time, using DNS TXT records makes a lot more sense. Cisco Talos security researchers discovered this new method of controlling malware through DNS servers, which is quite a troublesome development, to say the least.

Especially remote access trojans are controlled through these DNS TXT records, by the look of things. By using the Domain name System, criminals can effectively establish two-way communication between themselves and the victim’s computer without going through centralized entities or service providers. Moreover, it also makes the communication virtually invisible, which does not help with tracking down the actors responsible for such an attack.

This new method of controlling Trojans has security researchers concerned, and for a good reason. They came across this new control method by accident while studying a new malware sample. As one would expect, the malware is distributed through phishing campaigns, which help criminals increase the odds of successfully infecting as many computers as possible. In these spam emails is a malicious Microsoft Word document that contains the malware payload.

DNS TXT records are mostly used by DNS to transfer text-based information. In fact, the technology has been around for quite some time yet it has never been used for nefarious purposes as far as security researchers can tell. Email authentication functions rely on this technology on a daily basis, making it a very common part of all internet traffic passing through the Domain Name System. Using this mechanism to set up two-way command and control servers is troublesome, as it allows the malware to bypass most enterprise security controls.

This also poses a new problem for companies actively monitoring internet traffic for malicious communication. Looking over web traffic email and other communication protocols is a big step in the right direction. However, no company actively looks at DNS requests, as it is the least likely source of online attacks. That has come to change as of late, which is evident by looking at this new malware sample. It is hard to come up with a solution that will actively monitor DNS traffic for potential threats, though.

It is evident both large and small companies have to start thinking like cyber criminals would. With the number of threats and attack vectors growing all the time, companies have to remain on their toes and look for parts of their communication protocols that are not protected yet. Using DNS TXT records is a big problem, but it may only be a matter of time until criminals have devised yet another scheme to remove centralized servers from the equation.

If you liked this article, follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin, cryptocurrency, and technology news.