S1021 DnsSystem
DnsSystem is a .NET based DNS backdoor, which is a customized version of the open source tool DIG.net, that has been used by HEXANE since at least June 2022.1
| Item | Value |
|---|---|
| ID | S1021 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 24 June 2022 |
| Last Modified | 01 September 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.004 | DNS | DnsSystem can direct queries to custom DNS servers and return C2 commands using TXT records.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | DnsSystem can write itself to the Startup folder to gain persistence.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | DnsSystem can use cmd.exe for execution.1 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | DnsSystem can Base64 encode data sent to C2.1 |
| enterprise | T1005 | Data from Local System | DnsSystem can upload files from infected machines after receiving a command with uploaddd in the string.1 |
| enterprise | T1041 | Exfiltration Over C2 Channel | DnsSystem can exfiltrate collected data to its C2 server.1 |
| enterprise | T1105 | Ingress Tool Transfer | DnsSystem can download files to compromised systems after receiving a command with the string downloaddd.1 |
| enterprise | T1033 | System Owner/User Discovery | DnsSystem can use the Windows user name to create a unique identification for infected users and systems.1 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | DnsSystem has lured victims into opening macro-enabled Word documents for execution.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1001 | HEXANE | 1 |