Adware Campaign Hijacks DNS to Expose Thousands of OT and Government Endpoints

Executive Summary

A widespread adware campaign, operating since at least 2023, has compromised over 25,000 endpoints by hijacking their Domain Name System (DNS) settings to route all internet traffic through attacker-controlled servers. Researchers from BitSight discovered the operation, which leveraged a cheap domain registration to establish a command-and-control (C2) infrastructure capable of intercepting and redirecting traffic from infected systems, including those in sensitive operational technology (OT) and government networks. The adware, which also functioned as a loader, demonstrated capabilities to terminate security software, paving the way for more dangerous secondary payloads.

Technical Analysis

The campaign's core mechanism is DNS hijacking. Upon infection, the adware modifies the system's DNS configuration to point to malicious servers controlled by the attackers. This gives the adversary the ability to monitor, intercept, and manipulate all DNS queries from the victim machine, a technique known as a "rogue DNS" or "DNS redirection" attack. According to BitSight's report, the attackers registered a domain for approximately $10 to host their C2 servers, which then managed the flow of traffic from the compromised endpoints.

The malicious software was distributed through a software supply chain attack, bundled with legitimate-looking free software downloads. Once installed, it performed dual functions: displaying intrusive advertisements and acting as a backdoor loader. A key feature of the malware was its ability to identify and forcibly terminate processes associated with cybersecurity and analysis tools, including antivirus software and virtual machines, to evade detection and removal. This "kill list" functionality suggests the operators intended to clear the path for deploying additional malware, such as remote access trojans (RATs) or information stealers, though BitSight did not observe follow-on payloads in their analysis.

Tactics, Techniques & Procedures

The threat actors employed a multi-stage infection chain blending software bundling, persistence, and defense evasion.

• Initial Access (T1566.002): The malware was distributed by bundling it with legitimate free software, exploiting users' trust in the software supply chain.
• Persistence (T1547.001): The adware established persistence via registry run keys to ensure it survived system reboots.
• Privilege Escalation (T1068): The malware required and often obtained administrative privileges to modify critical system DNS settings.
• Defense Evasion (T1562.001, T1070.004): The malware actively terminated processes related to security software and virtual machines. It also deleted logs and traces of its installation and execution to hinder forensic analysis.
• Command and Control (T1572): The primary C2 mechanism was through the rogue DNS servers, which proxied all victim internet traffic, allowing for data exfiltration and redirection to phishing or malware-dropping sites.

Threat Actor Context

The identity and origin of the threat actors behind this campaign remain unknown. The primary motivation appears to be financial, initially through ad-revenue generated by the forced advertisements. However, the infrastructure's design—capable of intercepting traffic from thousands of endpoints, including high-value targets in government and industrial sectors—creates a significant secondary risk. This infrastructure could be sold or rented to other threat groups for espionage, credential theft, or as an initial access broker for ransomware operations. The low cost of establishing the C2 domain highlights the high-impact, low-barrier nature of such DNS-based attacks.

Mitigations & Recommendations

Organizations, especially those in critical infrastructure and government sectors, should take the following steps to detect and prevent similar compromises:

1. Enforce DNS Security: Implement DNS filtering services and mandate the use of corporate-managed DNS servers (e.g., via DHCP or group policy). Block outbound DNS queries over port 53 to all except approved resolvers.
2. Monitor for DNS Changes: Deploy endpoint detection and response (EDR) tools to alert on and block unauthorized modifications to system network settings, including DNS configurations.
3. Harden Software Deployment: Strictly control software installation privileges and source locations. Use application allowlisting to prevent the execution of unapproved software.
4. Conduct Network Monitoring: Look for anomalous DNS traffic patterns, such as endpoints communicating with unknown DNS servers or a sudden increase in DNS query volume to rare domains.
5. Segment OT Networks: Ensure robust network segmentation between OT environments and corporate IT networks to limit the potential lateral movement and impact of such malware.