Jump to content
  • Decoy Dog malware toolkit found after analyzing 70 billion DNS queries

    alf9872000

    • 578 views
    • 3 minutes
     Share


    • 578 views
    • 3 minutes

    A new enterprise-targeting malware toolkit called ‘Decoy Dog’ has been discovered after inspecting anomalous DNS traffic that is distinctive from regular internet activity.

     

    Decoy Dog helps threat actors evade standard detection methods through strategic domain aging and DNS query dribbling, aiming to establish a good reputation with security vendors before switching to facilitating cybercrime operations.

     

    Researchers from Infoblox discovered the toolkit in early April 2023 as part of its analysis of over 70 billion DNS records daily to look for signs of abnormal or suspicious activity.

     

    Infoblox reports that Decoy Dog’s DNS fingerprint is extremely rare and unique among the 370 million active domains on the internet, making it easier to identify and track.

     

    Hence, the investigation into Decoy Dog’s infrastructure quickly led to the discovery of several C2 (command and control) domains that were linked to the same operation, with most communications from these servers originating from hosts in Russia.

     

    Further investigation revealed that the DNS tunnels on these domains had characteristics that pointed to Pupy RAT, a remote access trojan deployed by the Decoy Dog toolkit.

     

    Pupy RAT is a modular open-source post-exploitation toolkit popular among state-sponsored threat actors for being stealthy (fileless), supporting encrypted C2 communications, and helping them blend their activities with other users of the tool.

     

    The Pupy RAT project supports payloads in all major operating systems, including Windows, macOS, Linux, and Android. Like other RATs, it allows threat actors to execute commands remotely, elevate privileges, steal credentials, and spread laterally through a network.

     

    Less skilled actors do not use Pupy RAT, as deploying the tool with the correct DNS server configuration for C2 communications requires knowledge and expertise.

     

    “This multiple-part (DNS) signature gave us strong confidence that the (correlated) domains were not only using Pupy, but they were all part of Decoy Dog – a large, single toolkit that deployed Pupy in a very specific manner on enterprise or large organizational, non-consumer, devices,” Infoblox revealed in its report.

     

    Furthermore, the analysts discovered a distinct DNS beaconing behavior on all Decoy Dog domains that are configured to follow a particular pattern of periodic but infrequent DNS request generation.

     

    pattern.png

    Repeating pattern of Decoy Dog IPv4 resolution (Infoblox)

     

    Investigations of the hosting and domain registration details revealed that the Decoy Dog operation had been underway since early April 2022, so it has stayed under the radar for over a year despite the toolkit’s domains showing extreme outliers in analytics.

     

    timeline(1).png

    Timeline of Decoy Dog domain registrations (Infoblox)

     

    The discovery of Decoy Dog demonstrates the power of using large-scale data analytics to detect anomalous activity in the vastness of the internet.

     

    "Infoblox has listed Decoy Dog’s domains in its report and added them to its “Suspicious Domains” list to help defenders, security analysts, and targeted organizations protect against this sophisticated threat," explains the InfoBlox researchers.

     

    "The discovery of Decoy Dog, and most importantly, the fact that several seemingly unrelated domains were using the same rare toolkit was a result of this combination of automatic and human processes." 

     

    Because the situation is complex and we have been focused on the DNS aspects of the discovery, we expect more details to come from the industry, in addition to ourselves, in the future."

     

    The company has also shared indicators of compromise on its public GitHub repository, which can be used for manual addition into blocklists.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...