Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Decoy Dog. Show all posts

Uncovering the Decoy Dog C2 Exploit: Infoblox's Finds Dangerous Threat

Decoy Dog

Finding recent reports on Domain Name System (DNS) attacks may prove difficult as a report by IDC in 2021 highlighted that 87% of organizations encountered a DNS attack in 2020. 

Despite this, DNS is not typically considered a prominent target in attacks, likely due to complex security terminologies such as DNS over TLS or HTTP. According to a report by CloudFlare, DNS queries in plaintext can be encrypted with TLS and HTTP to ensure secure and private browsing. 

In spite of this, Akamai's DNS threat report for Q3 highlighted a rise of 40% in DNS attacks during the corresponding quarter of the previous year. Furthermore, during Q3 of the previous year, 14% of all safeguarded devices communicated with a malicious designation at least once.

A new malware toolkit called Decoy Dog

The Infoblox Threat Intelligence Group, which examines billions of DNS records and millions of domain-related records daily, has identified a new malware toolkit called Decoy Dog that employs the Pupy remote access trojan. 

RenĂ©e Burton, Senior Director of Threat Intelligence at Infoblox, revealed that Pupy is an open-source tool that is complex to utilize and inadequately documented. Infoblox's findings indicate that the Decoy Dog toolkit is being employed in less than 3% of all networks, and the threat actor who controls it is linked to only 18 domains. 

Through a sequence of anomaly detectors, the team discovered Decoy Dog's activities and learned that it had been running a data exfiltration command and control system since early April 2022 for over a year, which no one else had detected.

Russian links

Infoblox's researchers discovered that the Decoy Dog C2 was primarily originating from hosts located in Russia, according to an analysis of external global DNS data. 

The concern with this malware is that no one knows precisely what it controls, even though its signature is known. 

Burton explained that command and control allow an attacker to take over systems and issue orders, such as extracting all of an individual's emails or shutting down a firewall. She also stated that Pupy, which is linked to Decoy Dog, has previously been associated with nation-state activities, despite not being easy for the average cybercriminal to access due to its complexity and lack of instructions on establishing the DNS nameserver required for C2 communications.

The RAT effect

Similar to legitimate remote access tools that allow technicians to showcase new systems or make repairs, RATs are straightforward to install and do not affect the computer's processing speed. These malicious tools can be delivered via email, video games, software, advertisements, and web pages. Pupy is a RAT that has particular C2 functionalities.

As per Burton,
  • RATs allow access to a system and some use C2 infrastructure for remote control.
  • Pupy is a challenging-to-detect, cross-platform, open-source C2 tool primarily coded in Python.
  • Decoy Dog is a rare type of Pupy deployment that can be identified through its DNS signature. According to Infoblox, only 18 domains match this signature out of 370 million.

Some common uses of RAT malware involve an attacker acquiring remote access to a laptop, then leasing it out to other threat actors who install more malware through its network access. This can result in a laptop becoming part of a botnet.

Toolkits that are small and unusual can pose hidden dangers

Hidden RATs, or malware of unknown origin that remains undetected, can pose significant risks. For example, in 2018, Israeli cyber-arms firm NSO Group developed a C2 spyware called Pegasus that could infiltrate and control various mobile devices, giving remote hackers access to a phone's cameras, location, microphone, and other sensors for surveillance purposes.

Amnesty International became involved when the Saudi government allegedly used Pegasus to spy on the family of Jamal Khashoggi, who had been murdered by government operatives.

Amnesty International's Security Lab recently uncovered another commercial spyware that went unnoticed for two years and utilized zero-day attacks against Google's Android operating systems. However, Infoblox had already blocked 89% of those domains before Amnesty's report, providing protection to its customers and verifying Amnesty's findings, according to Burton.