An unidentified nation-state appears to be preparing for a new hacking campaign, according to researchers at Infoblox. The campaign uses the relatively new Decoy Dog malware toolkit, however, little is known about the motivations behind it or who may be at risk.
What was found?
Infoblox has detected the foundational elements of the campaign, with suspicious domain names connected to the campaign associated with Russian IP addresses. However, Russia’s involvement remains uncertain.
Researchers estimate that over 100 devices are infected with Decoy Dog, and multiple groups could be responsible, potentially unrelated to the same nation-state.
In total, the researchers tracked 21 Decoy Dog domains, some of which were registered and deployed in the last month.
Other noteworthy findings
Ever since it was first discovered in April, Decoy Dog has undergone a major upgrade from Pupy, an open-source remote access tool, to disguise its activities and ensure long-term access to compromised devices.
Some of the enhancements include the use of Python 3.8, improvements in Windows compatibility and memory operations, additional communication modules, and the ability to run arbitrary Java code by injecting it into a JVM thread.
Moreover, the new version comes with a domain-generation algorithm that acts as an emergency module for compromised machines to communicate via a third-party DNS server.
The bottom line
At the moment, the purpose and the operators behind Decoy Dog operations remain a mystery. While the researchers continue to track the full scope of the malware toolkit, it is recommended to block IP addresses used in both Decoy Dog and Pupy malware operations to stay safe. Organizations should also focus on the DNS queries and the responses to track the malware activity. Besides, they can leverage a YARA rule created by Inflobox to detect the malware samples observed since July.