A new and concerning technique is emerging in the cybersecurity landscape: attackers are injecting malicious code directly into antivirus processes to create persistent backdoors. This technique, demonstrated by security researcher TwoSevenOneThree, exploits the trust and elevated privileges granted to antivirus software, effectively turning your frontline protection into a liability. Once malware reaches this stage, it has already bypassed traditional defenses and can operate with near impunity. This isn’t a theoretical risk; by the time DNS traffic starts reflecting malicious activity, the endpoint is already compromised, and the malware has sidestepped your antivirus. In today’s threat environment, you simply can’t trust software running on an infected machine to defend itself.

While antivirus software is a necessary part of any security stack, it cannot be the sole line of protection. Modern threats exploit the very mechanisms meant to secure endpoints, invalidating the assumption that local detection is sufficient. This is why defense in depth is critical, multiple layers of proactive protection are required to stop threats before they can cause harm. ThreatSTOP’s Protective DNS and IP Defense solutions provide this additional layer. By focusing on preventing malicious communications at the network level, we shut down the attacker’s ability to operate even if they’ve gained a foothold.

When malware bypasses endpoint security, its next step is to communicate with external Command and Control (C2) servers. This is where ThreatSTOP Protective DNS steps in:

  • DNS Defense Cloud routes your DNS queries through ThreatSTOP’s cloud-based servers, blocking requests to known malicious domains before a connection is ever made.
  • DNS Defense brings the same intelligence to your own DNS servers, enabling local enforcement powered by ThreatSTOP threat intelligence. Meanwhile, IP Defense proactively stops malicious traffic at the network perimeter by automatically enforcing block lists on firewalls, routers, and cloud-based infrastructure. Whether it’s data exfiltration, peer-to-peer botnet communication, or C2 callbacks, ThreatSTOP ensures that your network disconnects from risky destinations. Our Security, Intelligence, and Research team continuously develops protections against C2 infrastructure, phishing, DDoS activity, SPAM networks, and more. Even if malware infects the endpoint, its ability to communicate and cause damage is effectively blocked.

In a world where attackers can exploit the very tools designed to protect you, proactive network-based protections are crucial. ThreatSTOP provides that safety net, ensuring that compromised endpoints cannot connect to malicious infrastructure and that sensitive data remains within your network.

For those interested in joining the ThreatSTOP family or learning more about our proactive protections for various environments, we invite you to visit our product page. Discover how our solutions can significantly enhance your digital security landscape. We offer pricing options for all customer sizes and encourage you to start with a Demo today!

Connect with customers and disconnect from risks.

 

MITRE ATT&CK Framework Mapping

ThreatSTOP Protection

MITRE ATT&CK Technique(s) Addressed

DNS Defense Cloud & DNS Defense

T1071.004 (Application Layer Protocol: DNS), T1568.002 (Dynamic Resolution)

IP Defense (Network Enforcement)

T1071 (Application Layer Protocol), T1571 (Non-Standard Port), T1090 (Proxy)

T1041 (Exfiltration Over C2 Channel), T1105 (Ingress Tool Transfer)

T1219 (Remote Access Tools), T1008 (Fallback Channels)

Blocking C2 & Data Exfiltration

T1071.004 (Application Layer Protocol: DNS), T1568.002 (Dynamic Resolution)

Disruption of Malware Operations