- Researchers found evidence of Joke Screenmate malware hiding on DNS servers
- Joke Screenmate is a harmless, prank malware
- There are ways to defend against it
Hackers found a way to hide malware in the Domain Name System (DNS), cleverly evading detection and flying under the radar. This is according to security researchers from Domain Tools who, in a recent blog, detailed how they discovered the Joke Screenmate malware hiding on DNS servers.
DNS is essentially the internet’s address book, turning readable domain names (such as techradar.com) into IP addresses that computers use to locate services. DNS records come in various types, including TXT records, which are usually used to store descriptive text.
However, as Domain Tools explained, cybercriminals found a way to slice up malware into small encoded fragments, and place them into a DNS TXT record under different subdomains. It’s essentially a digital jigsaw puzzle scattered across different addresses. On its own, each part is harmless, but when reassembled, it forms a malicious file.
Joke Screenmate
By using scripting tools, threat actors query the DNS records and reconstruct the malware without triggering the usual security alarms, and since DNS traffic is typically trusted, it doesn’t raise any suspicions.
In their writeup, Domain Tools researchers described finding Joke Screenmate, a program that triggers fake system errors and causes erratic cursor behaviors. But perhaps more alarmingly, they found a PowerShell stager, a script that can download and execute more destructive malware.
While the attack technique is perfidious, there are ways to defend. Cybersecurity teams should implement DNS traffic monitoring, looking for unusual patterns and repeated TXT queries. They can also use tools that inspect DNS records beyond simple resolution functions, and should maintain threat intelligence feeds that include malicious domains and subdomains.
So far, there were very few examples of in-the-wild abuse, apparently, but since the technique seems to be rather simple to pull off, it wouldn’t be too surprising to see it become more popular in the coming months.
Via Tom's Hardware
You might also like
- Hackers are hijacking forgotten subdomains to spread malware through trusted sites; this overlooked trick could hit you next
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers
