C2 DNS Tunneling

By analyzing the malware, it is possible to find two network indicators within its code:

Figure 3 – observed network IoCs in Winnti sample

The hardcoded 208.67.222.222 is a legitimate OpenDNS DNS server (resolver1.opendns.com). This IP is pushed into a list that is generated by the malware at runtime. Likely, the initiation routine also populates the list with the system’s DNS, and the OpenDNS server is only used as fallback case to ensure the C2 domain gets resolved.

The dick[.]mooo[.]com FQDN name is offered by FreeDNS, which is a free dynamic DNS service. Notably, in the last years, multiple researchers have reported Winnti/PlugX C2 hostnames hosted in the mooo[.]com zone. In the code we observed that a dot (.) is enforced before the FQDN. Additional analysis revealed that the malware generates subdomains with base128 encoding, and append them to FQDN.

Code 1 – Hostname length restriction

Further, dots are added into it every 57 characters potentially as a hostname length restriction, suggesting the expectation of long hostnames. We confirm the buffer can support FQDN’s up to 2000 characters.

Upon further investigation we found out that the malware includes the open source iodine source code – software that enables the tunneling of IPv4 data through a DNS server. Interestingly, we are not aware of any earlier documentation highlighting Winnti specifically leveraging iodine for DNS tunneling. However, researchers at the Ruhr University Bochum, while hunting for DNS tunnels, observed APT32 and Wekby APT groups using NULL and TXT records as a C2 communication channel, as well as mentioning the mooo[.]com top level domain in their findings.

The implementation of iodine used in the Winnti sample is integrated and uses some custom wrapper, as evidence by the matching functions we discuss in further detail in the following section.