Skip to content

T1568 Dynamic Resolution

Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware’s communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.

Adversaries may use dynamic resolution for the purpose of Fallback Channels. When contact is lost with the primary command and control server malware may employ dynamic resolution as a means to reestablishing command and control.123

Item Value
ID T1568
Sub-techniques T1568.001, T1568.002, T1568.003
Tactics TA0011
Platforms ESXi, Linux, Windows, macOS
Version 1.1
Created 10 March 2020
Last Modified 24 October 2025

Procedure Examples

ID Name Description
G0016 APT29 APT29 has used Dynamic DNS providers for their malware C2 infrastructure.20
S1087 AsyncRAT AsyncRAT can be configured to use dynamic DNS.7
S0268 Bisonal Bisonal has used a dynamic DNS service for C2.14
G1002 BITTER BITTER has used DDNS for C2 communications.19
C0026 C0026 During C0026, the threat actors re-registered a ClouDNS dynamic DNS subdomain which was previously used by ANDROMEDA.24
G0047 Gamaredon Group Gamaredon Group has incorporated dynamic DNS domains in its infrastructure.21
S0666 Gelsemium Gelsemium can use dynamic DNS domain names in C2.9
C0043 Indian Critical Infrastructure Intrusions During Indian Critical Infrastructure Intrusions, RedEcho used dynamic DNS domains associated with malicious infrastructure.16
S0449 Maze Maze has forged POST strings with a random choice from a list of possibilities including “forum”, “php”, “view”, etc. while making connection with the C2, hindering detection efforts.13
S0034 NETEAGLE NETEAGLE can use HTTP to download resources that contain an IP address and port number pair to connect to for C2.12
C0002 Night Dragon During Night Dragon, threat actors used dynamic DNS services for C2.26
C0016 Operation Dust Storm For Operation Dust Storm, the threat actors used dynamic DNS domains from a variety of free providers, including No-IP, Oray, and 3322.25
C0005 Operation Spalax For Operation Spalax, the threat actors used dynamic DNS services, including Duck DNS and DNS Exit, as part of their C2 infrastructure.22
G1042 RedEcho RedEcho used dynamic DNS domains associated with malicious infrastructure.16
S0148 RTM RTM has resolved Pony C2 server IP addresses by either converting Bitcoin blockchain transaction data to specific octets, or accessing IP addresses directly within the Namecoin blockchain.1011
C0024 SolarWinds Compromise During the SolarWinds Compromise, APT29 used dynamic DNS resolution to construct and resolve to randomly-generated subdomains for C2.23
S0559 SUNBURST SUNBURST dynamically resolved C2 infrastructure for randomly-generated subdomains within a parent domain.15
G1018 TA2541 TA2541 has used dynamic DNS services for C2 infrastructure.17
S0671 Tomiris Tomiris has connected to a signalization server that provides a URL and port, and then Tomiris sends a GET request to that URL to establish C2.8
G0134 Transparent Tribe Transparent Tribe has used dynamic DNS services to set up C2.18

Mitigations

ID Mitigation Description
M1031 Network Intrusion Prevention Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Malware researchers can reverse engineer malware variants that use dynamic resolution and determine future C2 infrastructure that the malware will attempt to contact, but this is a time and resource intensive effort.56
M1021 Restrict Web-Based Content In some cases a local DNS sinkhole may be used to help prevent behaviors associated with dynamic resolution.

References

  1. Brumaghin, E. et al. (2017, September 18). CCleanup: A Vast Number of Machines at Risk. Retrieved March 9, 2018. 

  2. Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017. 

  3. ESET. (2017, December 21). Sednit update: How Fancy Bear Spent the Year. Retrieved February 18, 2019. 

  4. Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019. 

  5. Sternfeld, U. (2016). Dissecting Domain Generation Algorithms: Eight Real World DGA Variants. Retrieved February 18, 2019. 

  6. Kasza, A. (2015, February 18). Using Algorithms to Brute Force Algorithms. Retrieved February 18, 2019. 

  7. Nyan-x-Cat. (n.d.). NYAN-x-CAT / AsyncRAT-C-Sharp. Retrieved October 3, 2023. 

  8. Kwiatkoswki, I. and Delcher, P. (2021, September 29). DarkHalo After SolarWinds: the Tomiris connection. Retrieved December 27, 2021. 

  9. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021. 

  10. Eisenkraft, K., Olshtein, A. (2019, October 17). Pony’s C&C servers hidden inside the Bitcoin blockchain. Retrieved June 15, 2020. 

  11. Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020. 

  12. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved November 17, 2024. 

  13. Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020. 

  14. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022. 

  15. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021. 

  16. Recorded Future Insikt Group. (2021, February). China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions. Retrieved November 21, 2024. 

  17. Larson, S. and Wise, J. (2022, February 15). Charting TA2541’s Flight. Retrieved September 12, 2023. 

  18. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016. 

  19. Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved June 1, 2022. 

  20. Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023. 

  21. Unit 42. (2022, February 3). Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022. 

  22. M. Porolli. (2021, January 21). Operation Spalax: Targeted malware attacks in Colombia. Retrieved September 16, 2022. 

  23. Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020. 

  24. Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023. 

  25. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021. 

  26. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.