Hackers are exploiting the Domain Name System (DNS) to hide malware, leveraging its often-overlooked nature to bypass traditional security measures. By encoding malware into hexadecimal strings and breaking them into smaller chunks, attackers store these pieces across multiple DNS subdomains. Generative AI is then used to rapidly generate scripts that reassemble the chunks into functional malware.
This technique allows malware to be retrieved through traffic that can be hard to closely monitor, especially with the growing adoption of DNS encryption protocols like DNS over HTTPS (DoH) and DNS over TLS (DoT). These protocols protect user privacy by encrypting DNS requests but also shield malicious queries from security tools, making detection even harder.
The method involves converting malware into hexadecimal code, splitting it into small segments, and storing each chunk in the TXT record of subdomains. Once attackers gain limited access to a network, they retrieve these chunks via ordinary-looking DNS queries, reassembling them into functioning malware without triggering antivirus or firewall alerts.
