
Attackers abuse Google DNS over HTTPS to download malware - stanleydrew
https://www.bleepingcomputer.com/news/security/attackers-abuse-google-dns-over-https-to-download-malware/
======
jiveturkey
TFA doesn't explain correctly or adequately what's going on. no wonder there's
no comments yet.

attackers put their data as txt records in DNS. victim needs to already
otherwise have the first-order payload installed and running. it (the malware)
queries DNS for C&C or 2nd stage payload location. the point of using DOH is
that IDS systems can't see inside it. In theory, anyone deploying IDS should
be MITM HTTPS anyway, so this data should be inspectable.

Basically it's IDS avoidance. You must already be infected.

For most users, most orgs, it doesn't matter. Regular DNS would have been
fine. I doubt orgs are filtering DNS TXT responses.

It would be interesting to learn from Kaspersky, eset, etc how effective this
attack is.

~~~
jdhbbbhb
What kind of malware can you fit into 256 characters?

~~~
rolph
one that grows by 256 character increments until the infiltration is done and
the resulting Kbytes of script/code is executed.

~~~
LinuxBender
Exactly. A coworker and I used to challenge each other to a game of red-
team/blue-team with DNS exfil. I ran the DNS servers. He would exfil data or
download malicious payloads. I had to detect and ideally block his
shenanigans. Rate limiting per IP and per domain slowed him down, but didn't
stop him. Tools like snort and bro or enterprise firewalls will see this too,
but there are plenty of ways to evade corporate firewalls.

DoH makes this harder. You have to either block all the public DoH servers
(never ending arms race) or intercept all outbound connections, which very few
companies are willing to do either for privacy or cert management reasons.
There are other rabbit holes here as well that would take all day to explain.

------
otterley
Source article: [https://blog.huntresslabs.com/hiding-in-plain-sight-
part-2-d...](https://blog.huntresslabs.com/hiding-in-plain-sight-
part-2-dfec817c036f)

