After another check for abnormal DNS traffic that differs from normal Internet activity, Infoblox experts have discovered a new set of enterprise malware called "Decoy Dog." Decoy Dog helps attackers bypass standard detection methods through strategic "domain aging" and DNS query cloning to build a good reputation with security vendors.
Infoblox researchers discovered the tool earlier this month as part of their daily analysis of more than 70 billion DNS records looking for signs of suspicious activity. Experts report that Decoy Dog's DNS fingerprint is extremely rare and unique among the 370 million active domains on the Internet, making it much easier to identify and track. Therefore, an investigation into Decoy Dog's malicious infrastructure quickly led to the discovery of several C2 servers that were associated with the same operation.
Further investigation revealed that the DNS tunnels of the discovered domains had characteristics pointing to Pupy RAT, a remote access trojan deployed by the Decoy Dog toolkit. Pupy RAT is an open-source, modular post-exploitation toolkit popular with government-sponsored attackers for its stealth, support for encrypted C2 communications, and assistance in teaming and coordinating with other users of the tool.
The Pupy RAT project supports payloads on all major desktop and mobile operating systems, including Windows, macOS, Linux, and Android. Like other RATs, it allows attackers to remotely execute commands, elevate privileges, steal credentials, and spread across a compromised network.
“This multi-part signature gave us confidence that the associated domains weren't just using Pupy. They were all part of Decoy Dog, a large single set of tools that deployed Pupy in enterprises in a very specific way,” the Infoblox report says.
In addition, analysts found different behavior of DNS beacons on all honeypot domains configured to follow a specific pattern of periodically but infrequently generating DNS queries. An investigation of the details showed that Operation Decoy Dog started at the beginning of last April and remained unnoticed for more than a year, even though the domains of this toolkit show extreme outliers in analytics.
Infoblox listed Decoy Dog domains in their report and added them to their "Suspicious Domains" list to help defenders, security analysts, and targeted organizations protect against this sophisticated threat. The company has also shared indicators of compromise on its public GitHub repository, which can be used to manually add to blacklists.
Decoy Dog detection demonstrates the ability to use large-scale data analysis to detect anomalous activity on the Internet, which in the future will allow to find such threats faster.
Infoblox researchers discovered the tool earlier this month as part of their daily analysis of more than 70 billion DNS records looking for signs of suspicious activity. Experts report that Decoy Dog's DNS fingerprint is extremely rare and unique among the 370 million active domains on the Internet, making it much easier to identify and track. Therefore, an investigation into Decoy Dog's malicious infrastructure quickly led to the discovery of several C2 servers that were associated with the same operation.
Further investigation revealed that the DNS tunnels of the discovered domains had characteristics pointing to Pupy RAT, a remote access trojan deployed by the Decoy Dog toolkit. Pupy RAT is an open-source, modular post-exploitation toolkit popular with government-sponsored attackers for its stealth, support for encrypted C2 communications, and assistance in teaming and coordinating with other users of the tool.
The Pupy RAT project supports payloads on all major desktop and mobile operating systems, including Windows, macOS, Linux, and Android. Like other RATs, it allows attackers to remotely execute commands, elevate privileges, steal credentials, and spread across a compromised network.
“This multi-part signature gave us confidence that the associated domains weren't just using Pupy. They were all part of Decoy Dog, a large single set of tools that deployed Pupy in enterprises in a very specific way,” the Infoblox report says.
In addition, analysts found different behavior of DNS beacons on all honeypot domains configured to follow a specific pattern of periodically but infrequently generating DNS queries. An investigation of the details showed that Operation Decoy Dog started at the beginning of last April and remained unnoticed for more than a year, even though the domains of this toolkit show extreme outliers in analytics.
Infoblox listed Decoy Dog domains in their report and added them to their "Suspicious Domains" list to help defenders, security analysts, and targeted organizations protect against this sophisticated threat. The company has also shared indicators of compromise on its public GitHub repository, which can be used to manually add to blacklists.
Decoy Dog detection demonstrates the ability to use large-scale data analysis to detect anomalous activity on the Internet, which in the future will allow to find such threats faster.