DNS-over-ICMP (C2) covert channels

Attack pattern

DNS-over-ICMP command and control (C2) represents a sophisticated evasion technique that abuses ICMP protocols to encapsulate DNS-like communications for covert channels. This method enables malware to establish resilient C2 connections while bypassing traditional DNS monitoring and security controls through protocol manipulation and legitimate traffic mimicry.

2. DNS-over-ICMP (C2) [AND]

    2.1 Protocol encapsulation [OR]
    
        2.1.1 DNS query encoding in ICMP echo
            2.1.1.1 Domain name encoding in ICMP echo request payloads
            2.1.1.2 DNS query simulation through ICMP data patterns
            2.1.1.3 Response data embedding in ICMP echo replies
            2.1.1.4 TXT record simulation for data exfiltration
            
        2.1.2 ICMPv6 router advertisement DNS injection
            2.1.2.1 RDNSS option exploitation for malicious DNS injection
            2.1.2.2 DNS search list option abuse for C2 communication
            2.1.2.3 Recursive DNS server option manipulation
            2.1.2.4 Router advertisement frequency abuse for persistent C2
            
        2.1.3 Neighbour discovery option abuse
            2.1.3.1 Source link-layer address option exploitation
            2.1.3.2 Target link-layer address option manipulation
            2.1.3.3 Prefix information option abuse for network mapping
            2.1.3.4 Redirect header option exploitation for traffic manipulation
            
    2.2 Malware integration [OR]
    
        2.2.1 MosaicLoader-style ICMP callbacks
            2.2.1.1 Downloader payload retrieval through ICMP
            2.2.1.2 Staged execution via ICMP payload commands
            2.2.1.3 Configuration data embedding in ICMP packets
            2.2.1.4 Update mechanism through ICMP channel
            
        2.2.2 APT41 ICMP-based C2 channels
            2.2.2.1 Long-term persistence using ICMP backdoors
            2.2.2.2 Data exfiltration through fragmented ICMP responses
            2.2.2.3 Lateral movement coordination via ICMP
            2.2.2.4 Evasion through ICMP protocol legitimacy
            
        2.2.3 IoT botnet ICMP command systems
            2.2.3.1 Lightweight C2 for resource-constrained devices
            2.2.3.2 Distributed command distribution through ICMP
            2.2.3.3 Botnet synchronisation via ICMP timing packets
            2.2.3.4 Persistence mechanisms using ICMP heartbeat
            
    2.3 Evasive C2 techniques [OR]
    
        2.3.1 Dynamic encoding algorithm rotation
            2.3.1.1 Multiple encoding scheme implementation
            2.3.1.2 Algorithm selection based on network environment
            2.3.1.3 Steganographic techniques within ICMP payloads
            2.3.1.4 Encryption key rotation through ICMP channel
            
        2.3.2 Legitimate traffic mimicry
            2.3.2.1 Network monitoring tool traffic simulation
            2.3.2.2 System utility ICMP pattern replication
            2.3.2.3 Cloud service ICMP traffic imitation
            2.3.2.4 Network infrastructure ICMP communication mimicry
            
        2.3.3 Multi-protocol fallback mechanisms
            2.3.3.1 ICMP primary with DNS secondary C2 channels
            2.3.3.2 Protocol switching based on detection events
            2.3.3.3 Redundant C2 infrastructure across multiple protocols
            2.3.3.4 Adaptive protocol selection for network conditions
            
    2.4 Command execution mechanisms [OR]
    
        2.4.1 Payload interpretation systems
            2.4.1.1 Custom protocol interpreters for ICMP data
            2.4.1.2 Script execution through encoded commands
            2.4.1.3 System command embedding in ICMP packets
            2.4.1.4 Remote code execution via ICMP channel
            
        2.4.2 Data exfiltration techniques
            2.4.2.1 File content chunking across multiple ICMP packets
            2.4.2.2 Compression and encryption before transmission
            2.4.2.3 Steganographic data hiding in ICMP fields
            2.4.2.4 Timing-based exfiltration to avoid detection
            
    2.5 Infrastructure abuse [OR]
    
        2.5.1 Compromised infrastructure exploitation
            2.5.1.1 Legitimate server compromise for C2 hosting
            2.5.1.2 Cloud instance abuse for ICMP C2 infrastructure
            2.5.1.3 IoT device exploitation for distributed C2
            2.5.1.4 Network device compromise for persistent access
            
        2.5.2 Public infrastructure manipulation
            2.5.2.1 Public DNS server abuse for ICMP reflection
            2.5.2.2 Cloud service exploitation for traffic blending
            2.5.2.3 Content delivery network abuse for C2 distribution
            2.5.2.4 Public monitoring service imitation for legitimacy

Why it works

  • Protocol necessity: ICMP is essential for network operations and cannot be completely blocked

  • Monitoring gaps: Many security systems focus on DNS monitoring while overlooking ICMP

  • Legitimate appearance: ICMP traffic appears normal and blends with network operations

  • Protocol flexibility: ICMP’s simple structure allows for various data encoding methods

  • Evasion capabilities: ICMP-based C2 bypasses traditional DNS security controls

  • Network pervasiveness: ICMP traffic is common across all networks, providing excellent cover