.webp "Uncovering the Decoy Dog C2 Exploit: Infoblox's Finds Dangerous Threat")
.webp "Decoy Dog")
Despite this, DNS is not typically considered a prominent target in attacks, likely due to complex security terminologies such as DNS over TLS or HTTP. According to a report by CloudFlare, DNS queries in plaintext can be encrypted with TLS and HTTP to ensure secure and private browsing.
In spite of this, Akamai's DNS threat report for Q3 highlighted a rise of 40% in DNS attacks during the corresponding quarter of the previous year. Furthermore, during Q3 of the previous year, 14% of all safeguarded devices communicated with a malicious designation at least once.
A new malware toolkit called Decoy Dog
The Infoblox Threat Intelligence Group, which examines billions of DNS records and millions of domain-related records daily, has identified a new malware toolkit called Decoy Dog that employs the Pupy remote access trojan.
Renée Burton, Senior Director of Threat Intelligence at Infoblox, revealed that Pupy is an open-source tool that is complex to utilize and inadequately documented. Infoblox's findings indicate that the Decoy Dog toolkit is being employed in less than 3% of all networks, and the threat actor who controls it is linked to only 18 domains.
Through a sequence of anomaly detectors, the team discovered Decoy Dog's activities and learned that it had been running a data exfiltration command and control system since early April 2022 for over a year, which no one else had detected.
Russian links
Infoblox's researchers discovered that the Decoy Dog C2 was primarily originating from hosts located in Russia, according to an analysis of external global DNS data.
The concern with this malware is that no one knows precisely what it controls, even though its signature is known.
Burton explained that command and control allow an attacker to take over systems and issue orders, such as extracting all of an individual's emails or shutting down a firewall. She also stated that Pupy, which is linked to Decoy Dog, has previously been associated with nation-state activities, despite not being easy for the average cybercriminal to access due to its complexity and lack of instructions on establishing the DNS nameserver required for C2 communications.
The RAT effect
- RATs allow access to a system and some use C2 infrastructure for remote control.
- Pupy is a challenging-to-detect, cross-platform, open-source C2 tool primarily coded in Python.
- Decoy Dog is a rare type of Pupy deployment that can be identified through its DNS signature. According to Infoblox, only 18 domains match this signature out of 370 million.
Some common uses of RAT malware involve an attacker acquiring remote access to a laptop, then leasing it out to other threat actors who install more malware through its network access. This can result in a laptop becoming part of a botnet.
Toolkits that are small and unusual can pose hidden dangers
Hidden RATs, or malware of unknown origin that remains undetected, can pose significant risks. For example, in 2018, Israeli cyber-arms firm NSO Group developed a C2 spyware called Pegasus that could infiltrate and control various mobile devices, giving remote hackers access to a phone's cameras, location, microphone, and other sensors for surveillance purposes.
Amnesty International became involved when the Saudi government allegedly used Pegasus to spy on the family of Jamal Khashoggi, who had been murdered by government operatives.
Amnesty International's Security Lab recently uncovered another commercial spyware that went unnoticed for two years and utilized zero-day attacks against Google's Android operating systems. However, Infoblox had already blocked 89% of those domains before Amnesty's report, providing protection to its customers and verifying Amnesty's findings, according to Burton.