1. Home
  2. Techniques
  3. Enterprise
  4. 动态解析

动态解析

ID Name
T1568.001 算法化域名动态生成
T1568.002 CDN节点伪装解析
T1568.003 协议级元数据混淆解析
T1568.004 区块链锚定动态解析

动态解析指攻击者通过算法化手段动态调整C2通信参数(如域名、IP、端口),以规避基于静态特征的检测机制。传统防御手段主要依赖检测域名生成算法特征、分析DNS请求异常模式或识别新注册域名,通过流量行为分析与威胁情报匹配实施阻断。但随着攻击技术的演进,动态解析已发展为具备高度隐蔽性的通信控制手段。

为突破传统检测体系,攻击者将动态解析技术与新型网络协议、云基础设施及密码学机制深度融合,形成多维度匿迹能力。其技术演进路径呈现三个特征:一是通信参数生成机制的强随机化,通过引入密码学安全算法提升预测难度;二是解析行为的场景融合,利用CDN、区块链等合法业务流量掩护恶意通信;三是协议层元数据滥用,深度挖掘协议规范漏洞实现指令隐蔽传输。

现有动态解析匿迹技术的核心逻辑在于构建动态演变的通信体系与合法业务流量的深度耦合。算法化域名生成通过高频参数变更打破静态特征依赖,迫使防御方转向算法逆向与行为建模检测;CDN伪装解析利用云服务基础设施的可信度,将恶意流量特征消解在合法内容分发过程中;协议元数据混淆则突破传统载荷检测范式,将攻击指纹隐藏在协议栈解析盲区;区块链锚定解析更是通过去中心化架构实现控制链路的抗审查特性。这些技术的共性在于将C2通信的关键特征(如端点地址、交互协议、数据传输模式)与目标网络环境的正常业务特征进行多维对齐,形成"形似合法、动态演变"的隐蔽通信模型。

匿迹技术的发展导致传统基于规则匹配与静态IOC的检测体系面临系统性失效风险。防御方需构建动态威胁建模能力,结合网络流量语义分析、加密流量元特征提取及跨协议关联检测技术,实现对隐蔽解析行为的深度感知。同时需强化对CDN、区块链等新兴基础设施的威胁监测,建立公私合作的情报共享机制以应对基础设施滥用威胁。

ID: T1568
Sub-techniques:  T1568.001, T1568.002, T1568.003, T1568.004
Tactic: 命令控制
Platforms: Linux, Windows, macOS
Permissions Required: User
Contributors: Chris Roffe
Version: 1.0
Created: 10 March 2020
Last Modified: 11 March 2022

匿迹效应

效应类型 是否存在
特征伪装
行为透明
数据遮蔽
时空释痕

特征伪装

攻击者通过模拟合法协议交互模式实现通信特征隐匿。在CDN伪装解析中,恶意流量严格遵循内容分发网络的标准通信规范,包括HTTPS加密、API调用格式及缓存控制策略,使得C2流量在协议特征层面与正常CDN业务完全一致。区块链锚定解析则利用加密货币网络的公开数据交互协议,使解析请求具备合法数字资产交易的表象特征。

数据遮蔽

动态解析技术普遍采用传输层加密(如TLS 1.3)与应用层加密相结合的多重加密体系,对通信内容实施端到端保护。在算法化域名生成场景中,攻击者通过加密算法生成域名种子,确保第三方无法通过逆向工程预测后续通信节点。协议元数据混淆技术则利用加密协议(如QUIC)的默认加密特性,隐藏元数据篡改行为。

时空释痕

攻击者通过动态切换通信节点与时间异步机制稀释攻击特征。CDN伪装解析利用全球边缘节点实现通信端点的分钟级轮换,区块链锚定解析则依赖区块链网络的区块生成间隔(如比特币的10分钟区块时间)实现控制指令的离散投放。这种时空维度上的动态分布使得单一检测节点难以捕获完整的攻击链条,显著增加威胁关联分析难度。

Procedure Examples

ID Name Description
G0016 APT29

APT29 has used Dynamic DNS providers for their malware C2 infrastructure.[1]
S1087 AsyncRAT

AsyncRAT can be configured to use dynamic DNS.[2]
S0268 Bisonal

Bisonal has used a dynamic DNS service for C2.[3]
G1002 BITTER

BITTER has used DDNS for C2 communications.[4]
C0026 C0026

During C0026, the threat actors re-registered a ClouDNS dynamic DNS subdomain which was previously used by ANDROMEDA.[5]
G0047 Gamaredon Group

Gamaredon Group has incorporated dynamic DNS domains in its infrastructure.[6]
S0666 Gelsemium

Gelsemium can use dynamic DNS domain names in C2.[7]
S0449 Maze

Maze has forged POST strings with a random choice from a list of possibilities including "forum", "php", "view", etc. while making connection with the C2, hindering detection efforts.[8]
S0034 NETEAGLE

NETEAGLE can use HTTP to download resources that contain an IP address and port number pair to connect to for C2.[9]
C0002 Night Dragon

During Night Dragon, threat actors used dynamic DNS services for C2.[10]
C0016 Operation Dust Storm

For Operation Dust Storm, the threat actors used dynamic DNS domains from a variety of free providers, including No-IP, Oray, and 3322.[11]

C0005 Operation Spalax

For Operation Spalax, the threat actors used dynamic DNS services, including Duck DNS and DNS Exit, as part of their C2 infrastructure.[12]
S0148 RTM

RTM has resolved Pony C2 server IP addresses by either converting Bitcoin blockchain transaction data to specific octets, or accessing IP addresses directly within the Namecoin blockchain.[13][14]
C0024 SolarWinds Compromise

During the SolarWinds Compromise, APT29 used dynamic DNS resolution to construct and resolve to randomly-generated subdomains for C2.[15]

S0559 SUNBURST

SUNBURST dynamically resolved C2 infrastructure for randomly-generated subdomains within a parent domain.[16]
G1018 TA2541

TA2541 has used dynamic DNS services for C2 infrastructure.[17]
S0671 Tomiris

Tomiris has connected to a signalization server that provides a URL and port, and then Tomiris sends a GET request to that URL to establish C2.[18]
G0134 Transparent Tribe

Transparent Tribe has used dynamic DNS services to set up C2.[19]

Mitigations

ID Mitigation Description
M1031 Network Intrusion Prevention

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Malware researchers can reverse engineer malware variants that use dynamic resolution and determine future C2 infrastructure that the malware will attempt to contact, but this is a time and resource intensive effort.[20][21]
M1021 Restrict Web-Based Content

In some cases a local DNS sinkhole may be used to help prevent behaviors associated with dynamic resolution.

Detection

ID Data Source Data Component Detects
DS0029 Network Traffic Network Connection Creation

Monitor for newly constructed network connections that are sent or received by untrusted hosts.

Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).
Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

References

  1. Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023.
  2. Nyan-x-Cat. (n.d.). NYAN-x-CAT / AsyncRAT-C-Sharp. Retrieved October 3, 2023.
  3. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.
  4. Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved June 1, 2022.
  5. Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023.
  6. Unit 42. (2022, February 3). Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022.
  7. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
  8. Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020.
  9. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
  10. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
  11. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
  1. M. Porolli. (2021, January 21). Operation Spalax: Targeted malware attacks in Colombia. Retrieved September 16, 2022.
  2. Eisenkraft, K., Olshtein, A. (2019, October 17). Pony’s C&C servers hidden inside the Bitcoin blockchain. Retrieved June 15, 2020.
  3. Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.
  4. Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.
  5. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
  6. Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023.
  7. Kwiatkoswki, I. and Delcher, P. (2021, September 29). DarkHalo After SolarWinds: the Tomiris connection. Retrieved December 27, 2021.
  8. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  9. Sternfeld, U. (2016). Dissecting Domain Generation Algorithms: Eight Real World DGA Variants. Retrieved February 18, 2019.
  10. Kasza, A. (2015, February 18). Using Algorithms to Brute Force Algorithms. Retrieved February 18, 2019.