A handful of threat actors, seemingly nation-state hackers, are actively using and developing a severe new malware toolkit called Decoy Dog. This exploits domain name system (DNS) to command and control a highly-targeted and very limited number of active clients, warns the IT automation and security company Infoblox.
Following its first disclosure in April, the developers of Decoy Dog swiftly responded by adapting their systems to ensure continued operations and maintain access to already compromised devices.
“Decoy Dog is a fundamentally new, previously unknown, malware with many features to persist on a compromised device,” Infoblox writes.
According to the second threat report, the malware is suspected to be a secret tool used in ongoing nation-state cyber-attacks, utilizing DNS to establish command and control. Many aspects of Decoy Dog remain a mystery – it’s a fundamentally new, previously unknown malware so the full scope of its capabilities remains unknown.
So far, Decoy Dog has been detected only by using DNS threat detection algorithms, and this is currently the only way to defend against the threat. At least three threat actors were found to be using the malware.
Decoy Dog is based on the open-source remote access trojan called Pupy. However, the considerable changes made to the code indicate that a sophisticated black hat is involved.
Decoy Dog’s improvements include:
It also responds to sophisticated DNS requests that don’t match the structure of valid communication.
“Although this decision would appear to be a mistake at first glance, there is likely some yet unknown rationale for it. At present, it is just another mystery of Decoy Dog”, the security firm added.
According to Infoblox, Pupy “is a smokescreen for the real capabilities of Decoy Dog.”
The toolkit has been in use for over a year. After the initial disclosure of Decoy Dog, threat actors changed the DNS response behavior of controllers, added geofencing restrictions to controllers, and moved clients to new controllers to ensure continued access to victim systems.
The significant risk is that “Decoy Dog/Pupy” use will continue to grow and impact organizations globally.
“The question many in the industry continue to silently ask is: Are we really securing our network if we’re not monitoring our DNS?” Infoblox writes.
The security firm highlights the critical need for increased DNS security, like DNS Detection and Response systems, to protect against remote access trojan toolkits. Decoy Dog exploits an inherent weakness of the malware-centric intelligence ecosystem that dominates the security industry today.
“It’s intuitive that DNS should be the first line of defense for organizations to detect and mitigate threats like Decoy Dog,” said Infoblox President and CEO Scott Harrell. “As demonstrated with Decoy Dog, studying and deeply understanding the attacker’s tactics and techniques allows us to block threats before they’re even known as malware.”
Infoblox works to monitor the situation, reverse engineer the threat, and build sophisticated DNS detection algorithms to mitigate additional hidden threats.
Some of the 20 Decoy Dog domains under monitoring were registered and deployed within the last month.
“We urge the industry to take this research forward, further investigate, and share their findings,” added Harrell.
Your email address will not be published. Required fields are markedmarked