How a New Botnet Establishes Command & Control

It is the latest fallout from Log4J and threat actors use DNS tunneling to accomplish it.

Security researchers tracked a new Linux attack taking advantage of the Log4J vulnerability. A brand new botnet programmed to carry out the attack architects a DNS tunnel to establish command and control and unpack a malicious payload.

How does this attack work and is your organization able to detect it? Let’s take a look.

New DNS tunneling attack: how it works

The research team at Netlab detected the attack and named it B1txor20 based on the file names it uses. 

 “In short, B1txor20 is a Backdoor for the Linux platform, which uses DNS Tunnel technology to build C2 communication channels.”

Typically, DNS requests and replies perform legitimate IP (web) address lookups, translating between the web address you type in and the number string of an actual IP address. 

Attackers abuse the trust of this protocol in a DNS tunneling attack. 

It is essential to understand how a DNS tunneling attack can work, especially because recent research reveals they are increasingly expensive for organizations.

Let’s say an end-user clicks on a malicious file and loads malware onto their device, or attackers exploit a security vulnerability to plant malware on your network. These things lay the foundation for this type of attack.

Next, hackers need a way to communicate with that malware.

And they are increasingly using DNS tunneling to establish a communications channel with the malicious code. With this type of attack, they bypass traditional controls like firewalls to connect to the malware, communicate with it, and exfiltrate data from the network through this DNS channel.

This is what the new botnet did in the Linux backdoor attack, according to researchers:

“Bot sends the stolen sensitive information, command execution results, and any other information that needs to be delivered, after hiding it using specific encoding techniques, to C2 as a DNS request; After receiving the request, C2 sends the payload to the Bot side as a response to the DNS request. In this way, Bot and C2 achieve communication with the help of DNS protocol.”

How can you detect DNS tunneling on the network?

Attackers use DNS techniques because they mimic regular traffic. And to avoid detection, they typically establish this command and control (C2) through common ports and standard encryption protocols. These are the reasons NetOps and SecOps are often unaware this is happening until threat actors complete their attack.

However, you can now detect and stop these attacks, even though threat actors hide their command-and-control efforts inside whitelisted DNS traffic.

A Network Detection and Response (NDR) platform is the answer.

LiveAction Chief Data Scientist Andrew Fast discussed this recently on a webinar about detecting advanced threats. He’s advocating for an NDR approach called Encrypted Traffic Analysis.

“Encrypted Traffic Analysis (ETA) combined with machine learning techniques effectively identifies malicious C2 activity on the network. Despite having no visibility into the content of the exchange, ETA tells us a great deal about encrypted traffic and provides us valuable insights to aid network defenders.”

This approach includes three levels of command-and-control detection:

Level 1 ETA
Uncovers beaconing.
An infected system uses beaconing to re-establish contact with the control infrastructure. ETA captures this communication pattern of intervals and byte totals to reveal C2.

Level 2 ETA
Reveals DNS tunneling.
Tunneling encapsulates one protocol (or layer) of encryption within another one. This type of traffic has a different dynamic profile than standard traffic on that port. This level of Encrypted Traffic Analysis detects the difference.

Defends against TLS fingerprinting.
Malware often uses different encryption software libraries than those used by browsers, apps, and legitimate software. Encrypted Traffic Analysis spots the difference.

Level 3 ETA
Analyzes the sequence of packet lengths.
The back-and-forth communications between the C2 infrastructure and the infected target have specific characteristics. ETA spots the difference between legitimate patterns and malicious ones.

NDR platforms vary significantly.
Many Network and Detection platforms can perform Level 1 ETA, some can achieve Level 2 ETA, but LiveAction Threat Eye NV is much more robust. It performs all three levels and powers network defenders to stop advanced attacks in progress, even ransomware.

The platform generates automated SoC-ready alerts that are MITRE ATT&CK labeled and help speed investigation.

The result is greater resiliency, reduced risk, and increased cybersecurity.

In this case, we explored a DNS tunneling attack targeting Linux environments and an approach to detect and stop it. Visit the LiveAction blog for more on network security, visibility, and performance.