We take a look at the discovery of a long running malware toolkit campaign evading detection through its use of DNS.
Researchers at Infoblox have discovered a new toolkit being used in the wild called Decoy Dog. It targets enterprises, and has a fondness for deploying a remote access trojan called Pupy RAT.
Activity from the RAT was first noticed earlier this month. Subsequent research revealed that it has been in operation since at least April last year. An initial two domains were being used as Command & Control centers (C2), with almost all of the C2 communications originating from Russia.
From there, further research identified a DNS signature not related to Pupy components. This signature was so unique that its presence indicated not just the open source Pupy RAT, but the Decoy Dog toolkit being used for deployment. Infoblox claims that this unique DNS signature for Decoy Dog “matches less than 0.0000027% of the 370 million active domains on the internet”.
Pupy itself has been seen in numerous nation state attacks and other serious compromises. Back in 2020, it was at the heart of a European electricity association breach. Elsewhere, it was seen as part of a campaign called Magic Hound in 2017, which targeted Government and technology sectors in Saudi Arabia.
Pupy RAT is very good at hiding in networks for long periods of time and can infect several platforms including Windows, Linux, and mobile. It communicates with its C2 via DNS. This makes it harder to spot than more common forms of malicious activity due to its tiny footprint. Its open source nature means all manner of changes—such as detecting sandboxes, installing keyloggers, or dumping hashes from a target system—can be made to keep security teams on their toes.
It’s not easy to set up or make use of, as a result of the skill required to use the tool alongside effective DNS server configurations. This is not your average DIY bedroom coded malware operation, and anyone using this knows what they’re doing.
There is currently no evidence to suggest any consumer targets have been hit by the Decoy Dog/Pupy RAT combination. So far, everything Infoblox and other security vendors it’s consulted with has all been enterprise based. This makes sense; it would be rather peculiar to see something of this nature striking out at people in their homes. If you’re not an enterprise or running “large organisational, non-consumer devices” then this isn’t something you’re likely to run into.
Additionally, there’s no data shared on which sector is targeted by the above, so it’s currently impossible to say if it’s one specific realm of business at risk here or if the group behind these installations is picking targets at random. One would suspect the former. While the energy sector shows up in many historical Pupy attacks, that doesn’t mean this is the case here. Investigations into Decoy Dog and Pupy RAT are ongoing, so for now we have to hope that this particular spate of network compromise is still something of a rarity.
Users of Malwarebytes are protected against this threat.
Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.
TRY NOW