Hurricane Panda is a sophisticated adversary believed to be of Chinese origin and known to target infrastructure companies. Their RAT of choice has been PlugX coupled with the use of the free DNS service provided by Hurricane Electric to return an attacker-controlled IP for well known domain names. CrowdStrike has identified Hurricane Panda using this rogue DNS resolver technique for command and control with the well known domain names github.com and pinterest.com. This tactic has been used to great effect to evade network layer defenses such as Web Proxies and Next-Generation Firewalls. Even a network analyst with access to every last byte that transited the network may miss this activity because of an expertly forged HOST field in a PlugX HTTP header.
The tactic is executed in a couple of easy to follow steps:
1) Hurricane Panda utilizes Hurricane Electric’s free DNS service to resolve well known domains (in this case github.com and pinterest.com) to the desired attack infrastructure ip, so instead of github.com resolving to github.com’s corporate website it would resolve to the Hurricane Panda controlled attack server 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168.
2) A system already compromised with PlugX begins its command and control beaconing routine. Instead of resolving the C2 domains with the locally configured DNS server, the query is sent directly to the Hurricane Electric DNS servers. Subsequently github.com and pinterest.com resolve to the attacker IP and a successful PlugX command and control session is established.
While this tactic can be successful at evading network layer defenses in some more homogeneously configured networks with the appropriate level of network visibility, this activity may also stick out like a sore thumb. As an example, if a network primarily sent external DNS requests to Google’s resolvers 22.214.171.124, and the last 24 hours of Bro logs, indexed pcap, or even netflow data showed statistically significant uptick in the amount of DNS traffic exiting the network bound for a non-126.96.36.199 address, then that might be worth investigating.
Along with the blog post we will be releasing a mechanism for detecting this behavior using Bro IDS (https://www.bro.org/). The script relies on two pieces of information. First, it monitors for domains to be resolved by Hurricane Electric public DNS resolvers. Second, it checks that the resolved domain is a popular website that would not normally be resolved by Hurricane Electric. To generate the list of domains, we use a Python script to collect the top 500 websites from Alexa– Alexa is the source because domains previously used by Hurricane Panda can be found in the top 500 list. The Python script creates a file containing the domains gathered from Alexa; Bro reads this file and inserts the domains into the script for detection. Each time the file is written, Bro re-reads it and loads the newest list of domains. While the list could be manually crafted, we’ve automated it so that it will stay up-to-date without the need for management. Additionally, if the DNS request contains an answer and the answer is an IP address, then the Bro script monitors for any hosts to connect to that IP address.
If this tactic is seen, then the Bro script can generate up to two alerts. The first alert is generated if a domain on the Alexa list is resolved by Hurricane Electric and the second alert is generated if a host connects to an IP address seen as an answer to the DNS request. We’ve provided two versions of the script on our GitHub page— one that uses automation for domain monitoring and includes the Python script to collect domains and one that uses a static list of domains that can be edited manually.
To fully mitigate this specific attacker TTP CrowdStrike recommends specifically allowing DNS outbound to approved DNS servers and denying by default all other outbound DNS communications at the perimeter gateway firewall.