The ‘Decoy Dog’ malware toolkit, aimed at enterprises, was uncovered recently by the security analysts at Infoblox by analyzing 70 billion DNS records and traffic that differs from typical online behavior.
What is Decoy Dog Malware Toolkit
Decoy Dog was discovered in early April 2023, and by using domain aging and DNS query dribbling tactics, the Decoy Dog malware assists threat actors in avoiding traditional detection methods.
One of Decoy Dog’s tools is a remote access Trojan (RAT) “Pupy RAT.” Infoblox describes this as “a dangerous and powerful RAT due to its fileless nature and slow, encrypted C2 communications. It is hard to detect by EDR solutions, and can stay hidden for a long time in an afflicted network.
That said, deploying the tool properly does require some degree of DNS server configuration knowledge and expertise. Infoblox researchers were able to link the domains by matching their multiple-part DNS signatures which not only gave them “strong confidence” that the correlated domains were using Pupy RAT but also that they were all part of Decoy Dog — a large toolkit that deployed Pupy RAT in a very specific manner on enterprise or large organisational, non-consumer devices.
That said, researchers also discovered a distinct DNS beaconing behaviour on all Decoy Dog domains that are configured to follow a specific pattern of periodic (yet infrequent) DNS request generation.
IOCS
4996180b2fa1045aab5d36f46983e91dadeebfd4f765d69fa50eba4edf310acf
0375f4b3fe011b35e6575133539441009d015ebecbee78b578c3ed04e0f22568
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment