Specialists at Infoblox have detected a new malware set for businesses called “Decoy Dog” while checking for abnormal DNS traffic. Attackers use Decoy Dog to bypass conventional methods of discovery, by using “obsolescence of domains” strategically and cloning DNS requests to create a good reputation among security funds’ suppliers. Infoblox researchers discovered the tool during routine analysis this month of over 70 billion DNS records in search of any dubious activity. Experts report that Decoy Dog’s DNS mark is unique among the 370 million active domains on the internet, making it easier to trace. The DNS-tunnel characterization of the domains discovered led to the detection of several C2 servers linked to the operation, and the investigators found they had common characteristics with the Pupy Rat remote access Trojan.
Further investigations led to the detection of several other RATs, which are modular in nature and supported in all primary desktop and mobile operating systems, such as Windows, MacOS, Linux, and Android. RATs are commonly used by state-sponsored attackers due to their support for encrypted communication and enabling collaboration among users. RATs allow attackers to remotely execute commands, increase privileges, steal accounts and spread through the compromised network. Infoblox has added Decoy Dog to its list of “suspicious domains” and published a report to help security analysts, defenders, and target organizations protect themselves from the threat.
The investigation shows that Decoy Dog was in operation since the beginning of last April and remained undiscovered for more than a year. Despite showing significant fluctuations in analytics, its domains remained unnoticed. Infoblox researchers urge organizations to take immediate steps to protect themselves from Decoy Dog and other RATs by identifying and blocking malicious traffic, using anti-malware software, and keeping their systems updated.