DNS tunneling was first discussed by Oskar Pearson on Bugtraq in 1998 and become a popular technique used by malware for C&C communication and data exfiltration. Due to the nature of DNS protocol design, it is fairly easy for NIDS to detect such activity in the network. In 2014, Justin Seitz used GitHub as the new C&C channel in his book (Blackhat Python) and highlighted that very few companies are blocking their corporate server traffic to GitHub. This is still true today but many commercial NIDS are flagging such traffic so it’s no longer an ideal channel for malware to stay under the radar.
In this talk, we will look at how malware can maintain a covert communication channel to an external APT without getting detected by popular NIDS like Snort and Zeek. This can be done by monitoring the OS connection table and selectively pick the hosts of any known cloud services that are in use instead of hardwiring a specific cloud service. In addition, hostnames used by the apt/yum repository in a system are also inspected for CDN usage as attackers can host their covert channel behind the same CDN service to evade NIDS detection. This method guarantees the outbound connection will always work and continuously keep the traffic outside the radar of NIDS.
Later, we will move on to the cloud environment and demonstrate a more robust C&C and data exfiltration channel by using an attacker-owned S3 bucket to evade AWS GuardDuty detection. This is a blind spot that can be used to stay undetected from GuardDuty due to the different way how it sees IAM authenticated requests versus S3 pre-signed URL requests. Besides, we will also explore other AWS services that can be misused as the covert channel for C&C and data exfiltration without getting detected by GuardDuty in this talk.