<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>

</head>

<body dir="ltr">

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<span style="margin:0px;font-size:12pt;background-color:rgb(255, 255, 255)"><span style="margin:0px;color:rgb(0, 0, 0) !important;background-color:rgb(255, 255, 255)"><span style="margin:0px;background-color:rgb(255, 255, 255) !important"><span style="margin:0px;background-color:rgb(255, 255, 255) !important"><span style="margin:0px;background-color:rgb(255, 255, 255) !important"><span style="margin:0px;font-size:14.67px">Hello,</span></span><span style="margin:0px;background-color:rgb(255, 255, 255) !important;display:inline !important"></span><span style="margin:0px;background-color:rgb(255, 255, 255) !important;display:inline !important"></span></span></span></span></span></div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<div style="margin:0px;font-size:12pt;background-color:rgb(255, 255, 255)">

<div style="margin:0px;color:rgb(0, 0, 0) !important;background-color:rgb(255, 255, 255)">

<div style="margin:0px;background-color:rgb(255, 255, 255) !important">

<div style="margin:0px;background-color:rgb(255, 255, 255) !important">

<div style="margin:0px;font-size:15px;color:rgb(32, 31, 30) !important;background-color:rgb(255, 255, 255) !important">

<div style="margin:0px;font-size:12pt;color:rgb(0, 0, 0) !important">

<div style="margin:0px;background-color:rgb(255, 255, 255) !important">

<div style="margin:0px;background-color:white !important">

<div style="margin:0px;font-size:15px;color:rgb(32, 31, 30) !important;background-color:white !important">

<div style="margin:0px;font-size:12pt;color:black !important">

<div style="margin:0px;background-color:white !important">

<div style="margin:0px;font-size:15px;color:rgb(32, 31, 30) !important;background-color:white !important">

<div style="margin:0px;font-size:12pt;color:black !important"><span style="margin:0px;background-color:white !important"></span>

<div style="margin:0px;background-color:white !important">

<div style="margin:0px;font-size:15px;color:rgb(32, 31, 30) !important;background-color:white !important">

<div style="margin:0px;font-size:12pt;color:black !important">

<div style="margin:0px;background-color:white !important">

<div style="margin:0px;background-color:white !important">

<div style="margin:0px;font-size:15px;color:rgb(32, 31, 30) !important;background-color:white !important">

<div style="margin:0px;font-size:12pt;color:black !important">

<div style="margin:0px;background-color:white !important">

<div style="margin:0px;background-color:white !important">

<div style="margin:0px;font-size:15px;color:rgb(32, 31, 30) !important;background-color:white !important">

<div style="margin:0px;font-size:12pt;color:black !important"><span style="margin:0px;background-color:white !important"></span>

<div style="margin:0px;background-color:white !important">

<div style="margin:0px;background-color:white !important">

<div style="margin:0px;background-color:white !important">

<div style="margin:0px;background-color:white !important">

<div style="margin:0px;background-color:white !important">

<div style="margin:0px;background-color:white !important">

<div style="margin:0px;background-color:white !important">

<div style="margin:0px;background-color:white !important">

<div style="margin:0px;font-size:15px;color:rgb(32, 31, 30) !important;background-color:white !important">

<div style="margin:0px;font-size:12pt;color:black !important">

<div style="margin:0px;background-color:white !important">

<div style="margin:0px;background-color:white !important">

<div style="margin:0px;font-size:15px;color:rgb(32, 31, 30) !important;background-color:white !important">

<div style="margin:0px;font-size:12pt;color:black !important">

<div style="margin:0px;background-color:white !important">

<div style="margin:0px;background-color:white !important">

<div style="margin:0px">

<div style="margin:0px;background-color:white !important">

<div style="margin:0px;background-color:white !important">

<div style="margin:0px;background-color:white !important">

<div style="margin:0px;background-color:white !important">

<div style="margin:0px;background-color:white !important">

<div style="margin:0px;font-size:15px;color:rgb(32, 31, 30) !important;background-color:white !important">

<div style="margin:0px;font-size:12pt;color:black !important">

<div style="margin:0px;background-color:white !important">

<div style="margin:0px;background-color:white !important">

<div style="margin:0px;background-color:white !important">

<div style="margin:0px;background-color:white !important">

<div style="margin:0px;background-color:white !important">

<div style="margin:0px;background-color:white !important">

<div style="margin:0px;background-color:white !important">

<div style="margin:0px;background-color:white !important">

<div style="margin:0px;background-color:white !important">

<div style="margin:0px;background-color:white !important">

<div style="margin:0px;background-color:white !important">

<div style="margin:0px;background-color:white !important">

<div style="margin:0px;background-color:white !important">

<div style="margin:0px;background-color:white !important">

<div style="margin:0px;background-color:white !important">

<div style="margin:0px;background-color:white !important">

<div style="margin:0px;font-size:15px;color:rgb(32, 31, 30) !important;background-color:white !important">

<div style="margin:0px;font-size:12pt;color:black !important">

<div style="margin:0px;background-color:white !important">

<div style="margin:0px;font-size:15px;color:rgb(32, 31, 30) !important;background-color:white !important">

<div style="margin:0px;font-size:12pt;color:black !important">

<div style="margin:0px;background-color:white !important">

<div style="margin:0px;background-color:white !important">

<div style="margin:0px;background-color:white !important">

<div style="margin:0px;background-color:white !important">

<div style="margin:0px;background-color:white !important">

<div style="margin:0px;background-color:white !important">

<div style="margin:0px;font-size:15px;color:rgb(32, 31, 30) !important;background-color:white !important">

<div style="margin:0px;font-size:12pt;color:black !important"><span style="margin:0px;background-color:white !important"></span>

<div style="margin:0px;background-color:white !important">

<div style="margin:0px;font-size:14.67px;background-color:white !important">I hope everyone is doing well!</div>

<div style="margin:0px;font-size:14.67px;background-color:white !important"><br>

</div>

<div style="margin:0px;font-size:14.67px;background-color:white !important">Below is the entry for today.</div>

<div style="margin:0px;font-size:14.67px;background-color:white !important"><br>

</div>

<div style="margin:0px;font-size:14.67px;background-color:white !important">11/16/2021 - Diary entry #391<br>

<br>

</div>

<blockquote style="font-size:14.67px;margin-top:0px;margin-bottom:0px;background-color:white !important">

<div style="margin:0px"></div>

<div style="margin:0px"></div>

<div style="margin:0px"></div>

Today we are going to talk about a technique heavily used by Rootkit malware to disguise their network connections, DNS tunneling.

<div><br>

</div>

<div>DNS queries are used by almost every computer connected to the internet. Simplifying, a DNS works as a hierarchical and decentralized name database. When you try to access a domain, let's say google.com, your system will make a DNS query request to the

 DNS server to retrieve the IP address for that domain. If that DNS server doesn't know that domain, it will ask another DNS server higher in the hierarchy and so on, until the domain IP address is recovered or everyone in the hierarchy answers the domain is

 unknown. That process is what we call DNS resolution. One important factor in DNS resolution is the hierarchy, so if you try to resolve a sub-domain, the DNS query will be redirected to the domain server. For instance, when you resolve mail.google.com it will

 ask the DNS servers on google.com where mail.google.com is.</div>

<div><br>

</div>

<div>This explanation is very resumed, but it gives an idea of how DNS resolution works. Malware has abused DNS resolutions to communicate stealthily since the early 2000, and it remains used specially by Rootkit nowadays. By creating special crafted DNS requests

 to their own domains, the malware doesn't open a connection to the malicious server directly, but makes a common request to the machine's already trusted DNS server, and so the packets will reach the malicious server once the DNS server tries to solve that

 domain.</div>

<div><br>

</div>

As an example, one sample analyzed by our team used DNS tunneling to exfiltrate data by adding chunks of data to the sub-domain, and making several requests, like 0.<chunk0>.domain.com, 1.<chunk1>.domain.com, and so on. On the C&C side, it just needs to order

 the DNS request by the index and it's able to reconstruct the original file, all that without opening a connection to the attacker server directly, therefore much harder to block with simple firewall solutions.

<div style="margin:0px"><br>

</div>

</blockquote>

<span style="margin:0px;font-size:14.67px;background-color:white !important">Kind Regards,</span></div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

<div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<br>

</div>

<div id="Signature">

<div>

<div></div>

<div></div>

<div></div>

<div></div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<table style="font-family:"Times New Roman"; font-size:medium; text-align:start">

<tbody>

<tr>

<td width="180" align="left" style="width:180px">

<table width="120" align="left">

<tbody>

<tr>

<td colspan="3" align="center"><a href="https://www.appgate.com/"><img alt="" width="120" height="30" src="https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png"></a></td>

</tr>

<tr>

<td colspan="3" align="center"> </td>

</tr>

<tr>

<td width="37%" align="center"><a href="https://www.linkedin.com/company/appgate-security/"><img width="18" height="18" alt="" src="https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png"></a></td>

<td width="28%"><a href="https://twitter.com/AppgateSecurity"><img width="20" height="18" alt="" src="https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png"></a></td>

<td width="35%"><a href="https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ"><img width="26" height="18" alt="" src="https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png"></a></td>

</tr>

</tbody>

</table>

<p> </p>

</td>

<td width="350" colspan="2" rowspan="2" style="width:350px">

<p style="font-family:Arial,Helvetica,sans-serif; font-size:13px; color:rgb(12,12,12)">

<strong>Felipe Duarte Domingues</strong><br>

Security Researcher<br>

<strong>Appgate</strong></p>

<p style="font-family:Arial,Helvetica,sans-serif; font-size:13px; color:rgb(12,12,12)">

E:<span> </span><font color="#228ebe"><a href="mailto:felipe.duarte@appgate.com" title="mailto:felipe.duarte@appgate.com">felipe.duarte@appgate.com</a></font><br>

O: <span style="background-color:rgb(255,255,255); display:inline!important">+55 19 98840 2509</span></p>

</td>

</tr>

</tbody>

</table>

<br>

</div>

</div>

</div>

</div>

</body>

</html>