by: Zoe Wallace & Joel Esler

Imagine receiving a letter with no return address and an unrecognized, seemingly random two-letter country code—curious, right? This scenario is more than just a puzzling mail mystery; it mirrors a growing concern in the digital realm. Most internet users have navigated websites using familiar country code Top-Level Domains (ccTLDs) like “.uk”, “.io”, or “.us”. But what happens when cyber threats hide behind ccTLDs that don’t officially exist? The ThreatSTOP Security Research Team dove into this digital enigma and unearthed a trove of threat intelligence that challenges our understanding of internet safety.

The ThreatSTOP Security Research Team began to notice the use of illegitimate 2-letter TLDs – why would someone try to access a site that does not, and cannot, exist? What we ended up discovering was a fountainhead of threat intelligence. 

To get a better understanding of this form of threat-hunting, we will begin with a brief technical explanation of the various components.

Why are only some TLDs legitimate? When you search for a website, the DNS (Domain Name System) Root Servers are the first to receive the query; they are responsible for directing your request to the IP address of the appropriate top-level domain (TLD) servers. Therefore, the Root Servers are “authoritative” (contain IP Address Records) for all TLDs. If the TLD does not appear in the Address Records, it is illegitimate.

What happens when a Root Server is given a top-level domain that doesn’t exist? The answer is simple: the domain will not route. The Root Server will look through its Address Records, and will return a failure (NXDOMAIN) when it doesn’t find a result. 

Where does the “address book” of TLD IP addresses come from? The “address book” is provided to Root Servers by IANA, the Internet Assigned Numbers Authority. If a TLD is not sanctioned by IANA, its “contact information” will not appear in the Root Server’s “address book,” and the query cannot be directed to the correct server. 

Why would an attacker use an illegitimate TLD? DNS tunneling (for example) requires attackers to enter a fully qualified domain name (FQDN) into DNS query responses, but these FQDNs are not required to resolve to an IP address. Therefore, attackers can respond to DNS queries (from an infected computer to their malicious server) with a fictitious encoded domain name that fits the FQDN format. For example, if the attacker needs to pass an instruction to an infected computer, the infected computer can contact the attacker’s server using a legitimate DNS query, and can receive a response containing an encoded and illegitimate domain name. For instance, APT groups like Hafnium, involved in the Microsoft Exchange server attacks, have utilized similar methods for long-term infiltration and data exfiltration. Meanwhile, malware networks such as TrickBot and Emotet have exploited DNS tunneling for command and control communications.

Why would attackers use a 2-letter TLD specifically? One answer is that attackers can fit one more character of encoded information into their message. Otherwise, they could be randomly chosen. Attackers often use legitimate TLDs, such as ‘.com’ or ‘.us’. 

Why are illegitimate 2-letter TLDs easier to spot? Two-letter TLDs are conspicuous. By filtering Passive DNS records by illegitimate TLDs, researchers can find instances of their use rather quickly. Since there is no legitimate reason to use these unregistered TLDs, the Passive DNS or "PDNS" records are unlikely to show legitimate activity. If they are used by accident, the user is sure to quickly realize their request is failing, so errors tend to have a low number of PDNS hits.  

In summary, this highlights the importance of country code Top-Level Domains (ccTLDs) and unveils the curious case of illegitimate 2-letter TLDs discovered by ThreatSTOP researchers. This discovery has paved the way for a novel approach to cybersecurity, prompting a deeper dive into the mechanics and implications of these anomalous domains in the realm of threat intelligence.

DNS Tunneling and Passive DNS

If you already have an understanding of DNS Tunneling and Passive DNS, feel free to skip to the examples in the next section. Otherwise, here is a quick explanation to provide the necessary context. 

DNS Tunneling can occur when an attacker infects a machine within a network, and uses DNS functions to communicate with this machine. In this situation, information is passed back and forth between a compromised machine and the attacker’s Command and Control (C2) server using DNS queries. 

Imagine if every time you sent a letter through the postal service, it had to go through a specific sorting center to reach its final destination. Now, picture that someone has figured out a way to send secret messages by hiding them inside regular letters. To the sorting center and anyone watching, these look like ordinary mail, but hidden within are messages meant for someone else entirely. This is similar to what happens in DNS tunneling. The internet sends data back and forth like a postal service, and DNS is like the sorting center directing where that data should go. In DNS tunneling, hackers hide malicious data within normal internet traffic. To an untrained eye (or standard security measures), this traffic looks normal, but it actually contains hidden information or commands that can be used to harm networks or steal data.

For instance, consider a scenario where an attacker controls a server associated with 'baddomain.com'. The attacker dispatches a phishing email to numerous computers. Once a user clicks on the link within the email, the malware installed by the attacker prompts the user's computer to issue a DNS request for 'xyz.baddomain.com'. Upon receiving this request, the malicious server is then able to send back data to the compromised computer. Specifically, if the malware initiates a 'TXT' (text) DNS request, the server operated by the attacker can return a message containing hidden commands. This small piece of text data can then instruct the infected machine to perform unauthorized actions, essentially allowing remote control over the device.

This type of traffic is usually difficult to catch and block unless you are continuously monitoring your DNS records, since it uses built-in functions of DNS to transfer data. It also occurs on DNS port 53, which must be open to outside traffic in order for computers within a network to reach the internet. Therefore, this type of communication can evade existing network security measures.

Passive DNS (PDNS) acts like a digital historian, capturing the ebb and flow of DNS traffic. This effort isn't solitary; it's a collaborative orchestra involving giants like ICANN, dedicated security alliances, and the unsung heroes of our online community. Together, they paint a global picture of DNS activity, allowing us to track how domain names and IP addresses evolve over time—a critical task for peeling back the layers of the internet's ever-changing identity.

Think of DNS records as the internet’s address book, but with more than just street names and numbers. There’s 'MX' for directing your emails, 'TXT' for those all-important digital footnotes, 'NS' for pointing out the domain’s go-to authority, and 'CNAME' for when web addresses decide to wear a disguise, redirecting one domain to another. Delving into PDNS records is like detective work; by studying the patterns and shifts in domain queries, we unlock insights into website popularity and spot anomalies that could spell trouble.

Now, onto the intriguing world of DNS tunneling—it’s like the secret passages of cyber threats, allowing attackers to pass hidden messages within legitimate-looking DNS traffic. But it's not without its limitations. The main characters here are 'TXT', 'CNAME', and 'NULL' queries, each playing a different role in the tunneling saga. While 'A' records typically stay out of the espionage game due to their direct nature, 'TXT' records often become the cloak and dagger, disguising malicious data in plain sight. Yet, despite its craftiness, DNS tunneling is no match for more direct communication methods, hemmed in by the DNS structure's own tight constraints and the tiny payloads they carry.

Tunneling and TLDs: Examples

Now, let’s get into a few examples of DNS tunneling revealed in PDNS records. We were able to sort the results by illegitimate two-letter TLD in order to narrow down our search to strictly illegitimate uses of DNS functions.

PTR Records:

In this example, it appears that an attacker and an infected machine may be communicating through PTR (Pointer) records. Since these records require a FQDN in the resource record, the attacker may have chosen the “aa” TLD randomly or as part of their encoded message. 

MX Records:

Here, attackers may be using MX (mail server) requests to exchange information and/or instructions with infected computers. 

MX Records:

Through MX (mail server) requests, it appears that an attacker is exfiltrating data. 

CNAME Records:

Attackers can use CNAME queries to pass information and commands back and forth between the infected client’s machine and the attacker’s machine. 

SRV Records:

In this image, it appears that an attacker is trying to exfiltrate data using SRV (Service) Records. The attack stands out to us because of the .aa TLD present in the resource record data. 

What this Reveals

At ThreatSTOP, we’re more than just a service; we’re your ally in the ever-complicated world of cyber safety. Our platform isn’t just about identifying the bad actors in the form of malicious IP addresses and domains. It’s about diving deeper, beyond the surface, to give you a clearer picture of what’s happening within your network. While we understand that not all battles can be fought within the confines of a client’s Response Policy Zone, we equip you with the means to confront these challenges head-on.

Consider the enigma of illegitimate two-letter TLDs—a puzzle we help you solve. Our strategy isn't just about pointing out the problems; it’s about empowering you with the knowledge to spot and understand the clandestine communications between servers and compromised devices. With Passive DNS (PDNS) records as your lens, the invisible becomes visible. These records are more than data; they are the breadcrumbs leading to potential threats hidden in your network’s nooks and crannies.

Imagine turning these insights into action. When you start sorting through PDNS records, identifying anomalies such as the peculiar *.aa TLDs, you’re not just observing—you’re engaging in proactive defense. This isn’t about chasing shadows; it’s about shining a light on the infrastructures that attackers all too often reuse. It’s about transforming what might seem like cryptic data into a clear roadmap for neutralizing threats. At ThreatSTOP, we’re committed to guiding you through this journey, helping you decipher the signs and strategize your countermeasures, ensuring your network remains a fortress against the ever-evolving landscape of cyber threats.

Expanding on the Theory: “Illegal” IP Addresses

ThreatSTOP researchers have also noticed the use of illegitimate IP addresses within DNS resource records. By searching for A records of reserved (and/or unusable) IP addresses in PDNS records, we can find examples of DNS tunneling using similar methods to the illegitimate 2-letter TLDs. In these cases, where it is clear that the IP address won’t resolve, the A record data (which can only be an IP address) could be a code or signal. 

Consider the following refined scenario: An attacker, after taking control of a server, breaches a computer within a targeted network. The compromised computer tries to communicate with the attacker's server by sending a request for a DNS A record, typically used to obtain an IP address for establishing a network connection. However, in this situation, the attacker's objective is to extract data from the network and send back commands. Therefore, the IP address in the A record could represent an encoded message. This message might appear valid but must conform to the IP address format.

If the attacker's goal is not to send back specific instructions, they might assign a random IP address to the A record. This randomness could lead to the insertion of a non-standard IP, such as one starting with 255—a clear deviation from legitimate practices. Such anomalies, especially when the IP address is part of an encoded subdomain linked to the compromised computer, signal a mistake on the attacker’s part. This misstep provides a tangible lead for security researchers examining Passive DNS (PDNS) records.

By analyzing these irregular requests, researchers can delve deeper into the attacker's methods and infrastructure, aiming to neutralize the threat. Although an attacker might occasionally use an invalid IP address, tracking becomes more challenging when legitimate addresses are employed. However, an unexpected domain name or IP in the DNS request can serve as a crucial clue, enabling experts to uncover associated indicators of compromise (IOCs) and disrupt the ongoing attack.

A Pattern Emerges

Looking through records for ‘illegitimate’ behavior has proven to be an amazing and largely untapped resource for IOCs. While we have explained the opportunities posed by illegitimate top-level domain and IP address use in DNS tunneling, these are not the only methods for catching attackers hiding in the endless expanse of internet traffic logs. 

When we come across records which conform to the standards of their record type, but are unexpected, undefined, or don’t work from a practical standpoint, we can dig deeper to potentially find evidence of an attacker. These small hints can lead to larger discoveries and, ultimately, greater network security. All in all, ThreatSTOP’s recent research has demonstrated that uncovering patterns of commonly perpetrated illegitimate behavior can point us toward new and rewarding avenues of threat intelligence research.

Introducing ThreatSTOP’s Product Suite: Your Shield Against Cyber Threats

At ThreatSTOP, we understand the importance of robust cybersecurity measures. Our suite of products, crafted by the dedicated ThreatSTOP Security, Intelligence, and Research team, provides comprehensive protection against a myriad of digital threats.

  1. DNS Defense Cloud: This product offers DNS protection via our cloud-based servers. It's designed for businesses seeking a streamlined, cloud-based approach to safeguard against malicious domains, ensuring your network remains secure without the need for on-premises hardware.

  2. DNS Defense: For organizations preferring to leverage their existing infrastructure, DNS Defense integrates ThreatSTOP’s intelligence directly onto customer-owned DNS servers. This setup enhances your network's resilience against cyber threats while utilizing your current assets.

  3. IP Defense: Our versatile solution caters to a variety of platforms, from traditional routers and firewalls to modern cloud-based applications like AWS WAF. IP Defense allows you to manage and enforce blocklists, effectively shielding your network from command and control communications, invalid traffic, peer-to-peer communication threats, and more.

Each product is meticulously developed to counteract a range of cyber threats, including but not limited to command and control attacks, data exfiltration, phishing, SPAM, and DDoS activity. Our solutions are tailored to disconnect your network from risks while enabling you to connect confidently with your customers.

Leveraging ThreatSTOP’s Innovations in Real-World Scenarios

Our approach focuses not just on detection but on proactive prevention. By integrating ThreatSTOP's protections, like those within DNS Defense Cloud and DNS Defense, users can preemptively block communications from suspicious or malicious domains. This is particularly beneficial when dealing with the sophisticated tactics employed by entities such as APT groups or malware like TrickBot and Emotet, as previously discussed. Our insights allow users to identify threats such as those posed by the Sea Turtle campaign, which manipulated DNS systems for traffic redirection, showcasing the depth of potential DNS abuses.

Furthermore, IP Defense's flexible blocklist management translates into enhanced control over your network's traffic, enabling you to swiftly respond to emerging threats and suspicious patterns. This aligns seamlessly with our findings on illegitimate TLDs and IP addresses, offering a robust defense mechanism against the exploitation of these vulnerabilities.

By equipping your network with our DNS and IP defense solutions, you ensure a safer, more secure digital environment for your business and your customers. Embrace the power of proactive protection with ThreatSTOP and step into a future where your connections are secure and your risks are mitigated.

Connect with Customers, Disconnect from Risks.