How TrickBot Malware Hides C2 Inside DNS Traffic
Detect AnchorDNS on Your Network
One of the riskiest parts of an attacker’s job once they have accomplished Initial Access, Execution, and Persistence is to “phone home” and establish communication with their C2 (Command and Control) server. They put a lot of work into obfuscating that traffic with a combination of varied techniques. First attackers must choose their protocol. As the name would indicate, the AnchorDNS back door hides C2 communication such as polling, commands and command responses inside DNS.
In this real training for free event, I will begin by providing you a quick overview of the simple DNS protocol. Then we will do a deep dive into AnchorDNS. I will show you samples of:
- Initial registration of new bot checking in with the C2 server
- Periodic requests for new commands
- File/payload requests
- Command results
AnchorDNS is being actively enhanced and we’ll look at new encoding and encryption techniques being employed. A trend in malware/red team software (the differentiation is increasingly difficult) is to provide attackers with advanced ways to customize traffic patterns in order to stay below the radar. In the case of AnchorDNS, you have AnchorAdjuster adjuster which we will explore as well.
The good news is there are ways to detect AnchorDNS both at the host level where the bot is running as well as on the network and that’s where our discussion will go next. For instance, we’ll see why it’s so important to watch key Persistence indicators like Scheduled Tasks and review the relevant Windows Security Log IDs. And we’ll discuss why it’s so important to watch for outbound DNS traffic bypassing your internal DNS servers but also what to look for inside requests flowing the normal route too.
Tim Helming, will take the discussion to the next level by showing how you can expose an attacker’s entire infrastructure for one or more campaigns by leveraging their wealth of Passive DNS data gleaned from thousands of points on the Internet. This is a brilliant example of using big data and machine learning to catch the bad guys.