The ‘Decoy Dog’ malware toolkit, aimed at enterprises, was uncovered recently by the security analysts at Infoblox by analyzing 70 billion DNS records and traffic that differs from typical online behavior.
What is Decoy Dog Malware Toolkit
Decoy Dog was discovered in early April 2023, and by using domain aging and DNS query dribbling tactics, the Decoy Dog malware assists threat actors in avoiding traditional detection methods.
One of Decoy Dog’s tools is a remote access Trojan (RAT) “Pupy RAT.” Infoblox describes this as “a dangerous and powerful RAT due to its fileless nature and slow, encrypted C2 communications. It is hard to detect by EDR solutions, and can stay hidden for a long time in an afflicted network.
That said, deploying the tool properly does require some degree of DNS server configuration knowledge and expertise. Infoblox researchers were able to link the domains by matching their multiple-part DNS signatures which not only gave them “strong confidence” that the correlated domains were using Pupy RAT but also that they were all part of Decoy Dog — a large toolkit that deployed Pupy RAT in a very specific manner on enterprise or large organisational, non-consumer devices.
That said, researchers also discovered a distinct DNS beaconing behaviour on all Decoy Dog domains that are configured to follow a specific pattern of periodic (yet infrequent) DNS request generation.