Decoy Dog Malware Toolkit Found After Analyzing 70 Billion DNS Queries

Summary:
Researchers have uncovered a novel malware toolkit called Decoy Dog, which specifically targets enterprises. This toolkit is designed to bypass standard detection mechanisms by generating anomalous DNS traffic that is different from regular internet activity. Decoy Dog utlizes techniques like strategic domain aging and DNS query dribbling to establish a good reputation with security vendors before pivoting to conducting cybercrime operations, thereby helping threat actors avoid detection. According to Infoblox, the DNS fingerprint of Decoy Dog is highly uncommon and stands out from the 370 million active domains on the internet. As a result, it is relatively straightforward to identify and monitor the malware. Therefore the examination of Decoy Dog's infrastructure promptly led to the revelation of various command and control (C2) domains associated with the same campaign, with most of the communications coming from servers located in Russia.

“Further investigation revealed that the DNS tunnels on these domains had characteristics that pointed to Pupy RAT, a remote access trojan deployed by the Decoy Dog toolkit. Pupy RAT is a modular open-source post-exploitation toolkit popular among state-sponsored threat actors for being stealthy (fileless), supporting encrypted C2 communications, and helping them blend their activities with other users of the tool. The Pupy RAT project supports payloads in all major operating systems, including Windows, macOS, Linux, and Android. Like other RATs, it allows threat actors to execute commands remotely, elevate privileges, steal credentials, and spread laterally through a network. Less skilled actors do not use Pupy RAT, as deploying the tool with the correct DNS server configuration for C2 communications requires knowledge and expertise.” (Bleeping Computer, 2023)

Infoblox's report stated that the DNS signature of Decoy Dog was multi-fauceted and provided a high level of confidence that correlated domains were not only using Pupy, but they were all associated with the same large toolkit -Decoy Dog. This tookit was designed to deploy Pupy on large organizational devices rather than consumer devices.

Analyst comments:
The investigation of hosting and domain registration details that the Decoy Dog campaign had been active since early April 2022, evading detection for over a year, despite the toolkit's domains displaying significant deviations in analytics. According to the researchers, the discovery of Decoy Dog and its association with various seemingly unrelated domains was a result of a combination of automated and manual processes. The situation is complex, and the focus has been on the DNS aspects of the discovery. The researchers expect that more details will emerge from the industry in the future.

Mitigation:
Infloblox researchers have added the Decoy Dog's domains to their "Suspicious Domains" list and published a report to help defenders , securiy analyst, and targeted organizations protect against this advanced threat.

IOCs:
https://blogs.infoblox.com


Source:
https://www.bleepingcomputer.com/
https://blogs.infoblox.com/