A recent analysis by cyber threat investigators of over 70 billion DNS records has led to the discovery of a new sophisticated malware toolkit named Decoy Dog targeting enterprise networks. Decoy Dog, as the name implies, is evasive and employs techniques like strategic domain aging and DNS query dribbling, wherein a series of queries are transmitted to the command-and-control (C2) domains not to arouse any suspicion.
Decoy Dog is a cohesive toolkit with several highly unusual characteristics that make it uniquely identifiable, particularly when examining its domains on a DNS level. The cybersecurity firm, which identified the malware in early April 2023 following anomalous DNS beaconing activity, said its atypical characteristics allowed it to map additional domains that are part of the attack infrastructure.[1]
According to the researchers, the usage of Decoy Dog in the wild is "very rare," with the DNS signature matching less than 0.0000027% of the 370 million active domains on the internet. One of the chief components of the toolkit is Pupy RAT, an open-source Trojan that's delivered through a DNS tunneling method, in which DNS queries and responses are used as a C2 for stealthily dropping payloads. Pupy is a cross-platform, multi-function RAT and post-exploitation tool mainly written in Python. It features an all-in-memory execution guideline and leaves a very low footprint. Pupy can communicate using multiple transports, migrate into processes using reflective injection, and load remote Python code, python packages, and Python C-extensions from memory.
An interesting aspect is the unusual DNS beaconing behavior associated with Decoy Dog domains, such that they adhere to a pattern of periodic but infrequent DNS requests to fly under the radar. Decoy Dog domains can be grouped together based on their shared registrars, name servers, IPs, and dynamic DNS providers. Given the other commonalities between Decoy Dog domains, this indicates either one threat actor gradually evolving their tactics or multiple threat actors deploying the same toolkit on different infrastructures.
Another point is the DNS beaconing behavior associated with Decoy Dog domains, such that they adhere to a pattern of periodic but infrequent DNS requests to fly under the radar. Decoy Dog domains can be grouped together based on their shared registrars, name servers, IPs, and dynamic DNS providers. Given the other commonalities between Decoy Dog domains, this indicates either one threat actor gradually evolving their tactics or multiple threat actors deploying the same toolkit on different infrastructures.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://thehackernews.com/2023/05/new-decoy-dog-malware-toolkit-uncovered.html
Comments