Dynamic Resolution

Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.

Adversaries may use dynamic resolution for the purpose of Fallback Channels. When contact is lost with the primary command and control server malware may employ dynamic resolution as a means to reestablishing command and control.[1][2][3]

ID: T1568
Sub-techniques:  T1568.001, T1568.002, T1568.003
Platforms: Linux, Windows, macOS
Permissions Required: User
Contributors: Chris Roffe
Version: 1.0
Created: 10 March 2020
Last Modified: 11 March 2022

Procedure Examples

ID Name Description
G0016 APT29

APT29 has used Dynamic DNS providers for their malware C2 infrastructure.[4]

S1087 AsyncRAT

AsyncRAT can be configured to use dynamic DNS.[5]

S0268 Bisonal

Bisonal has used a dynamic DNS service for C2.[6]

G1002 BITTER

BITTER has used DDNS for C2 communications.[7]

C0026 C0026

During C0026, the threat actors re-registered a ClouDNS dynamic DNS subdomain which was previously used by ANDROMEDA.[8]

G0047 Gamaredon Group

Gamaredon Group has incorporated dynamic DNS domains in its infrastructure.[9]

S0666 Gelsemium

Gelsemium can use dynamic DNS domain names in C2.[10]

S0449 Maze

Maze has forged POST strings with a random choice from a list of possibilities including "forum", "php", "view", etc. while making connection with the C2, hindering detection efforts.[11]

S0034 NETEAGLE

NETEAGLE can use HTTP to download resources that contain an IP address and port number pair to connect to for C2.[12]

C0002 Night Dragon

During Night Dragon, threat actors used dynamic DNS services for C2.[13]

C0016 Operation Dust Storm

For Operation Dust Storm, the threat actors used dynamic DNS domains from a variety of free providers, including No-IP, Oray, and 3322.[14]

C0005 Operation Spalax

For Operation Spalax, the threat actors used dynamic DNS services, including Duck DNS and DNS Exit, as part of their C2 infrastructure.[15]

S0148 RTM

RTM has resolved Pony C2 server IP addresses by either converting Bitcoin blockchain transaction data to specific octets, or accessing IP addresses directly within the Namecoin blockchain.[16][17]

C0024 SolarWinds Compromise

During the SolarWinds Compromise, APT29 used dynamic DNS resolution to construct and resolve to randomly-generated subdomains for C2.[18]

S0559 SUNBURST

SUNBURST dynamically resolved C2 infrastructure for randomly-generated subdomains within a parent domain.[19]

G1018 TA2541

TA2541 has used dynamic DNS services for C2 infrastructure.[20]

S0671 Tomiris

Tomiris has connected to a signalization server that provides a URL and port, and then Tomiris sends a GET request to that URL to establish C2.[21]

G0134 Transparent Tribe

Transparent Tribe has used dynamic DNS services to set up C2.[22]

Mitigations

ID Mitigation Description
M1031 Network Intrusion Prevention

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Malware researchers can reverse engineer malware variants that use dynamic resolution and determine future C2 infrastructure that the malware will attempt to contact, but this is a time and resource intensive effort.[23][24]

M1021 Restrict Web-Based Content

In some cases a local DNS sinkhole may be used to help prevent behaviors associated with dynamic resolution.

Detection

ID Data Source Data Component Detects
DS0029 Network Traffic Network Connection Creation

Monitor for newly constructed network connections that are sent or received by untrusted hosts.

Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

References