Decoy Dog, a new malware toolkit, has been discovered that allows attackers to avoid standard detection techniques and target enterprises. It uses DNS query dribbling and strategic domain aging techniques to bypass security checks.
A deeper look into Decoy Dog
Experts from Infoblox spotted the Decoy Dog toolkit in early April 2022 during their analysis of over 70 billion DNS records daily for suspicious activity. Its DNS fingerprint is very rare and unique among the 370 million active domains.
An investigation into Decoy Dog’s infrastructure led to the discovery of various C2 domains associated with the same operation, in which most communications originate from hosts in Russia.
The toolkit created an atypical DNS signature that was spotted in enterprise networks in the U.S., South America, Europe, and Asia covering healthcare, technology, financial, energy, and other sectors
Further investigation disclosed that the DNS tunnels on these domains were having characteristics that indicated the involvement of Pupy RAT being distributed by the Decoy Dog toolkit.
The tool exhibits a multi-part DNS signature that implies that the domains were using Pupy in a large and single toolkit to deploy Pupy in a certain manner on enterprise or large firm, non-consumer, devices.
Additional insights
The analysts identified a distinct DNS beaconing behavior on every Decoy Dog domain that is configured to follow a certain pattern of periodical yet irregular DNS request generation.
Even though the toolkit’s domains displayed high outliers in analytics, the attackers managed to stay under the radar for over a year.
Conclusion
The attackers behind Decoy Dog have created a footprint in DNS that is very hard to detect and isolate. A global security collaboration is required to fully understand Decoy Dog and its C2 activity. Further, researchers have shared IOCs on its public GitHub repository which can be helpful.