Decoy Dog Malware Evolves to Expand its Reach

What was found?

• Infoblox has detected the foundational elements of the campaign, with suspicious domain names connected to the campaign associated with Russian IP addresses. However, Russia’s involvement remains uncertain.
• Researchers estimate that over 100 devices are infected with Decoy Dog, and multiple groups could be responsible, potentially unrelated to the same nation-state. 
• In total, the researchers tracked 21 Decoy Dog domains, some of which were registered and deployed in the last month. 

Other noteworthy findings

• Ever since it was first discovered in April, Decoy Dog has undergone a major upgrade from Pupy, an open-source remote access tool, to disguise its activities and ensure long-term access to compromised devices.
• Some of the enhancements include the use of Python 3.8, improvements in Windows compatibility and memory operations, additional communication modules, and the ability to run arbitrary Java code by injecting it into a JVM thread. 
• Moreover, the new version comes with a domain-generation algorithm that acts as an emergency module for compromised machines to communicate via a third-party DNS server.

The bottom line