Using DNS queries and responses as a C2 channel.

Malware/Threat actors

Name	Type	Years	Source
Jaku	malware	2015-2016	report_jaku_analysis_of_botnet_campaign_en_0.pdf
PlugX	malware	2014	GlobalThreatIntelReport.pdf plugx-goes-to-the-registry-and-india.pdf ASERT%20Threat%20Intelligence%20Brief%202015-05%20PlugX%20Threat%20Activity%20in%20Myanmar.pdf P2P_PlugX_Analysis.pdf
Group-IB	< threat actor/malware >	2016-2017	Group-IB_MoneyTaker_report.pdf Group-IB_Lazarus.pdf Anunak_APT_against_financial_institutions.pdf
APT32	threat actor	2014-2017	SpyRATsofOceanLotusMalwareWhitePaper.pdf oceanlotus-ships-new-backdoor oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society
ProjectSauron	malware	2011-2016	The-ProjectSauron-APT_research_KL.pdf

Preventions

<Mitigation techniques>

Detections

• Connection to a rare domain
• Large DNS payloads

Toolkit

<Toolkit instructions, if applicable>

Similar techniques

• Peer-to-peer
• IRC
• ICMP
• Webshell
• Remote Admin Tools
• Listening Service
• HTTP

References

• [<Source name>](<Source link>)