A deeper analysis of a recently discovered malware called Decoy Dog has revealed that it is a significant upgrade over the Pupy RAT, an open-source remote access trojan it is modeled on. It is written in Python. Malware of this type is used to gain remote control of a target computer. Threat actors have been observed using a legitimate a process that reports errors in Windows (and Windows applications) to distribute Pupy. RATs are designed to allow attackers to remotely control infected computers. Usually, RATs can log keystrokes, access webcam, microphone, capture screenshots, inject malware (e.g., ransomware, crypto-mining malware), format drives, download, delete, or otherwise manage files, and more.
It is common for RATs to be used to blackmail victims, launch DDoS attacks, mine cryptocurrency, steal credit card details, social security numbers, passwords, and other sensitive information, drop additional malware, etc. Threat actors use RATs mainly for financial gain.
Thus, having a computer infected with Pupy can lead to numerous issues (e.g., identity theft, monetary and data loss, slow computer performance, etc.). This RAT should be removed from the infected system as soon as possible.
Decoy Dog has a full suite of powerful, previously unknown capabilities including the ability to move victims to another controller, allowing them to maintain communication with compromised machines and remain hidden for long periods of time. Some victims have actively communicated with a Decoy Dog server for over a year.
Other new features allow the malware to execute arbitrary Java code on the client and connect to emergency controllers using a mechanism that's similar to a traditional DNS domain generation algorithm (DGA), with the Decoy Dog domains engineered to respond to replayed DNS queries from breached clients. Decoy Dog has added functionality not available in Pupy. In particular, it has a command that tells the compromised device to stop talking to the current controller and start talking to another controller. We could determine this using statistical analysis on the DNS queries.
The sophisticated toolkit was first discovered by the cybersecurity researchers in early April 2023 after detecting anomalous DNS beaconing activity, revealing its highly targeted attacks against enterprise networks. The origins of Decoy Dog remain unclear as yet, but it is suspected to be operated by a handful of nation-state hackers, who employ distinct tactics but respond to inbound requests that match the structure of client communication.
Decoy Dog makes use of the domain name system (DNS) to perform command-and-control (C2). An endpoint that's compromised by the malware communicates with, and receives instructions from, a controller (i.e., a server) via DNS queries and IP address responses.
The threat actors behind the operation are said to have made swift adjustments to their attack infrastructure in response to the earlier disclosures, taking down some of the DNS nameservers as well as registering new replacement domains to establish remote persistence. Rather than shutting down their operation, the actor transferred existing compromised clients to the new controllers. This is an extraordinary response demonstrating the actor felt it necessary to maintain access to their existing victims.
The first known deployment of Decoy Dog dates back to March or April 2022, following which three other clusters were detected as under the control of different controllers. A total of 21 Decoy Dog domains have been detected to date. One set of controllers registered since April 2023 has adapted by incorporating a geofencing technique to limit responses to client IP addresses to certain locations, with observed activity limited to Russia and Eastern Europe.
The lack of insight into underlying victim systems and vulnerabilities being exploited makes Decoy Dog an ongoing and serious threat. The best defense against this malware is DNS, according to investigators. We expect the actors to independently change based on the new reporting. The actors can change certain aspects of their C2, e.g., encodings, fairly easily, but other elements are difficult to change and are inherent in their choice of DNS as a C2 mechanism.
The real question is why did they choose to modify Pupy for their C2? What is it about that RAT that they either need or desire for these operations? There are plenty of other choices, but they made this one when there is no other known malicious deployment of Pupy in the past. How they react to our update will depend on why they chose to make or use Decoy Dog in the first place.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. redskyalliance. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
Comments