Infoblox reveals attackers shift in malware tactics
Infoblox has published a second threat report with critical updates on "Decoy Dog," the remote access trojan (RAT) toolkit they discovered and disclosed in April 2023.
The malware uses DNS to establish command and control (C2) and is suspected as a secret tool used in ongoing nation-state cyber attacks.
The threat actors swiftly responded following Infoblox's disclosure of the toolkit, adapting their systems to ensure continued operations, indicating that maintaining access to victim devices remains a high priority.
The analysis shows that the use of the malware has spread, with at least three actors now operating it. Although based on the open-source RAT Pupy, Decoy Dog is a fundamentally new, previously unknown malware with many features to persist on a compromised device.
Many aspects of Decoy Dog remain a mystery, but Infoblox says all signs point to nation-state hackers. Infoblox released a new data set containing DNS traffic captured from Infoblox's servers to support further industry investigation of the C2 systems.
Infoblox highlights a significant risk that Decoy Dog and its use will continue to grow and impact organisations globally. The only known means to detect and defend against Decoy Dog/Pupy today is with DNS Detection and Response systems like Infoblox's BloxOne Threat Defense.
Scott Harrell, Infoblox President and CEO, says: "It's intuitive that DNS should be the first line of defense for organisations to detect and mitigate threats like Decoy Dog. Infoblox is the industry's best-of-breed DNS Detection and Response solution, providing companies with a turn-key defense that other XDR solutions would miss."
"As demonstrated with Decoy Dog, studying and deeply understanding the attacker's tactics and techniques allows us to block threats before they are even known as malware."
Through large-scale DNS analysis, Infoblox has learned key features of the malware and the actors who operate it. Directly following the first announcement on social media, every Decoy Dog threat actor responded to Infoblox's disclosures in different ways.
Some name servers mentioned in Infoblox's April 2023 report were taken down, while others migrated their victims to new servers. Despite their efforts to hide, Infoblox has continued tracking the activities and since learned much more about them.
Infoblox has been able to infer the nature of some communications and estimates that the number of compromised devices is relatively small.
Infoblox has also been able to distinguish Decoy Dog from Pupy and determine that Decoy Dog has a full suite of powerful, previously unknown capabilities, including the ability to move victims to another controller, allowing them to maintain communication with compromised machines and remain hidden for long periods.
Some victims have actively communicated with a Decoy Dog server for over a year.
Dr Renée Burton, Head of Threat Intelligence at Infoblox, says: "The lack of insight into underlying victim systems and vulnerabilities being exploited makes Decoy Dog an ongoing and serious threat."
"The best defense against this malware is DNS. Malicious activity often goes unnoticed because DNS is undervalued as a critical component in the security ecosystem."
"Only enterprises with a strong protective DNS strategy can protect themselves from these types of hidden threats," says Burton.
Infoblox is currently monitoring 20 Decoy Dog domains, some registered and deployed within the last month. This toolkit exploits an inherent weakness of the malware-centric intelligence ecosystem that dominates the security industry today.
Furthermore, Infoblox says this malware was discovered solely because of DNS threat detection algorithms. Infoblox suggests that organisations' best defence against these attacks is protection at the DNS level within every network.
Infoblox says its BloxOne Threat Defense customers remain protected from Decoy Dog and these known malicious threat actors.
"We urge the industry to take this research forward, further investigate and share their findings," adds Harrell.
At the Black Hat cybersecurity conference in Las Vegas on Wednesday, August 9, Dr Renée Burton will discuss why "Decoy Dog is No Ordinary Pupy" in detail, along with other key findings.
Throughout the conference, attendees can meet with Infoblox researchers and demonstrate their skills with a series of hands-on challenges using a live Pupy controller via Infoblox's Double Dog Dare experience.
Short introductions to Decoy Dog and Pupy will also be held at the booth theatre. This experience will allow participants to see firsthand how the DNS traffic is used to relay communications between the client and server to understand better the severe threat this malware poses.
An additional resource, experts in the field, recently released a new book titled "The Hidden Potential of DNS in Security." Infoblox says this book gives readers everything they need to know about lookalike domains, domain-generated algorithms (DGAs), DNS tunnelling, data exfiltration over DNS, why hackers use DNS, and how to defend against these attacks.