Image: Max Bender (unsplash)
A more profound investigation into a recently uncovered malware, named Decoy Dog, disclosed that it is a marked enhancement from the Pupy RAT, the open-source remote access trojan from which it is derived.
The professionals at Infoblox unveiled in a recent report that Decoy Dog possesses an exhaustive range of potent and hitherto unknown capabilities. Among these is the potential to shift victims to a different controller, facilitating ongoing communication with the compromised machines and enabling it to stay concealed for extensive durations. There are instances where victims had continual interactions with a Decoy Dog server for a span exceeding a year.
Additional novel characteristics enable the malware to execute arbitrary Java code on the client side and establish connections with contingency controllers via a mechanism reminiscent of a conventional DNS domain generation algorithm (DGA). The domains associated with Decoy Dog have been tailored to respond to replayed DNS queries from compromised clients.
The company specializing in digital safety first stumbled upon this intricate toolkit in early April 2023, as they spotted atypical DNS beaconing activity. This detection exposed the extremely targeted nature of its attacks on corporate networks.
The roots of Decoy Dog remain enigmatic, but it is speculated that a select group of hackers from unknown nationalities, using distinct strategies, operate it. They react to incoming requests that align with the pattern of client communication.
Decoy Dog utilizes the domain name system (DNS) for command-and-control (C2) operations. An endpoint compromised by the malware communicates with a controller (essentially a server), receiving directives via DNS queries and IP address responses.
It’s reported that the adversaries behind this operation have reacted swiftly to initial revelations by making rapid changes to their attack infrastructure. They deactivated some DNS nameservers and registered new replacement domains to ensure remote persistence.
Infoblox observed, “The perpetrators didn’t cease their operations; instead, they relocated existing compromised clients to the newly-established controllers.” This notable response indicates the perpetrators’ perceived necessity to maintain access to their pre-existing victims.
The initial known deployment of Decoy Dog can be traced back to late-March or early-April 2022, following which three additional clusters were found under the control of various controllers. As of now, 21 Decoy Dog domains have been detected.
Interestingly, a set of controllers registered since April 2023 have evolved by integrating a geofencing technique. This limits responses to client IP addresses to specific regions, with recorded activity restricted to certain geographical areas.
Dr. Renée Burton, head of threat intelligence at Infoblox, commented on the seriousness of the threat, saying, “The absence of insight into the victim systems and exploited vulnerabilities makes Decoy Dog a relentless and serious menace. The best defense against this malware is DNS.”