An analysis of over 70 billion DNS records has led to the discovery of a new sophisticated malware toolkit dubbed Decoy Dog targeting enterprise networks.
Decoy Dog, as the name implies, is evasive and employs techniques like strategic domain aging and DNS query dribbling, wherein a series of queries are transmitted to the command-and-control (C2) domains so as to not arouse any suspicion.
The cybersecurity firm, which identified the malware in early April 2023 following anomalous DNS beaconing activity, said its atypical characteristics allowed it to map additional domains that are part of the attack infrastructure.
That said, the usage of Decoy Dog in the wild is “very rare,” with the DNS signature matching less than 0.0000027% of the 370 million active domains on the internet, according to the California-based company.
One of the chief components of the toolkit is Pupy RAT, an open source trojan that’s delivered by means of a method called DNS tunneling, in which DNS queries and responses are used as a C2 for stealthily dropping payloads.
It’s worth noting that the use of the cross-platform Pupy RAT has been linked to nation-state actors from China such as Earth Berberoka (aka GamblingPuppet) in the past, although there’s no evidence to suggest the actor’s involvement in this campaign.
Another crucial aspect is the unusual DNS beaconing behavior associated with Decoy Dog domains, such that they adhere to a pattern of periodic, but infrequent, DNS requests so as to fly under the radar.
“Given the other commonalities between Decoy Dog domains, this is indicative of either one threat actor gradually evolving their tactics, or multiple threat actors deploying the same toolkit on different infrastructure.”
Source: https://thehackernews.com/
