Skip to content

S1021 DnsSystem

DnsSystem is a .NET based DNS backdoor, which is a customized version of the open source tool DIG.net, that has been used by HEXANE since at least June 2022.1

Item Value
ID S1021
Associated Names
Type MALWARE
Version 1.0
Created 24 June 2022
Last Modified 01 September 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.004 DNS DnsSystem can direct queries to custom DNS servers and return C2 commands using TXT records.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder DnsSystem can write itself to the Startup folder to gain persistence.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell DnsSystem can use cmd.exe for execution.1
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding DnsSystem can Base64 encode data sent to C2.1
enterprise T1005 Data from Local System DnsSystem can upload files from infected machines after receiving a command with uploaddd in the string.1
enterprise T1041 Exfiltration Over C2 Channel DnsSystem can exfiltrate collected data to its C2 server.1
enterprise T1105 Ingress Tool Transfer DnsSystem can download files to compromised systems after receiving a command with the string downloaddd.1
enterprise T1033 System Owner/User Discovery DnsSystem can use the Windows user name to create a unique identification for infected users and systems.1
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File DnsSystem has lured victims into opening macro-enabled Word documents for execution.1

Groups That Use This Software

ID Name References
G1001 HEXANE 1

References