An analysis of more than 70 billion DNS records has led to the discovery of a sophisticated new malware toolset called Deceptive dog oriented to business networks.
Deceptive dogas the name suggests, it is evasive and employs techniques such as strategic domain aging and DNS query haggling, where a series of queries are passed to command and control (C2) domains so as not to arouse suspicion.
“Decoy Dog is a cohesive toolkit with a number of highly unusual features that make it uniquely identifiable, particularly when examining its domains at the DNS level,” Infoblox said in an advisory issued late last month.
The cybersecurity firm, which identified the malware in early April 2023 after anomalous DNS beacon activity, said its atypical features allowed it to map additional domains that are part of the infrastructure attack
That said, use of Decoy Dog in the wild is “very rare,” with the DNS signature matching less than 0.0000027% of the 370 million active domains on the Internet, according to the California-based company.
One of the main components of the toolkit is Pupy RAT, an open-source Trojan that is delivered using a method called DNS tunneling, in which DNS queries and responses are used as C2 to stealthily drop payloads.
It is worth noting that the use of the cross-platform Pupy RAT has been linked in the past to Chinese state actors such as Earth Berberoka (aka GamblingPuppet), although there is no evidence to suggest the actor’s involvement in this campaign.
Further research into Decoy Dog suggests that the operation had been established for at least a year prior to its discovery, with three different infrastructure configurations detected so far.
Learn how to stop ransomware with real-time protection
Join our webinar and learn how to stop ransomware attacks with real-time MFA and service account protection.
Save my seat!
Another crucial aspect is the unusual behavior of DNS beacons associated with Decoy Dog domains, whereby they adhere to a pattern of periodic, but infrequent, DNS requests to fly under the radar.
“Decoy Dog domains can be grouped based on their shared registrars, name servers, IPs, and dynamic DNS providers,” Infoblox said.
“Given the other commonalities between Decoy Dog domains, this indicates that one threat actor is gradually evolving its tactics, or that multiple threat actors are deploying the same set of tools on different infrastructures.”
Ikaroa, a cutting-edge full stack tech company, is the latest enabler of new and improved security products. The company has recently uncovered a dangerous new malware toolkit, with potentially damaging consequences on enterprise networks.
The malicious toolkit, titled Decoy Dog, can easily penetrate networks by sneaking in through driver downloads and networks disguising itself as a legitimate application. Once inside, it can then be used to exfiltrate sensitive information, hijack authentication tokens, deploy botnets and ultimately control the entire system.
As the sophistication of malware continues to advance, it is essential that companies stay ahead of the game, by employing the right countermeasures. To do this, Ikaroa provides a wealth of security solutions, ranging from proactive and distributed identification, authentication and access control measures to a comprehensive analysis of networks, applications and data. Through advanced analytics capabilities, the advanced security products from Ikaroa help to detect and identify threats at every stage of the attack.
Ikaroa works closely with companies to develop holistic security defenses that are tailored to their specific needs. This includes developing advanced capabilities to detect, contain and respond to the latest threats, such as Decoy Dog. The company also collaborates with experts in the fields of computer science and information security to design innovative technologies and methods to stay ahead of the malicious actors.
Overall, the Decoy Dog malware toolkit is yet another reminder that in the ever-evolving world of cyber-security, it is essential to keep security solutions up-to-date and to partner with specialists to ensure optimum protection. As enterprises strive to protect their data and networks from the latest threats, solutions from Ikaroa are proving to be a reliable ally.