HQ/EMEAFind out how we can help your business
A new malware toolkit, Decoy Dog, has been the latest weapon for malicious threat actors to bypass standard detection protocols and target enterprises. Researchers highlighted that the malware operators have been using the DNS query dribbling and strategic domain ageing tactics to avoid security checks from defence mechanisms installed in targeted networks.
Based on reports, the new malware toolkit appeared in April 2022 after researchers stumbled across it during the analysis of more than 70 billion DNS records daily for malicious activities. The initial report revealed that the DNS track by the malware is very peculiar and one-of-a-kind among the examined 370 million dynamic landscapes.
Various C2 domains emerged after the constant investigation of the Decoy Dog infrastructure.
The discovery of the infrastructure owned by the Decoy Dog malware operators paved the way for the researchers to uncover various command-and-control domains affiliated with a single operation. The communication from the single process mostly pinged Russia, implying that the operators were Russians.
The toolkit created an atypical DNS signature that was spotted in enterprise networks in the U.S., South America, Europe, and Asia, covering healthcare, technology, financial, energy, and other sectors.
Further study showed that the DNS tunnels on the identified domains had behaviour that indicated the involvement of Pupy RAT spread by the Decoy Dog toolkit.
The malware toolkit also showed a multi-part DNS signature that indicates that the domains were utilising Pupy in a more powerful attack against enterprise and large company devices.
Furthermore, some analysts observed a particular DNS beaconing activity on every Decoy Dog domain that the threat operators configured to follow a periodic yet unusual DNS request generation pattern.
The threat actors bypassed security solutions and analysis for over a year even though the toolkit’s domains displayed are high in the analytics.
The Decoy Dog operators have created a trace in DNS that is very challenging to detect and isolate for researchers. Hence, the cybersecurity landscape needs a global security collaboration to fully dissect the new malware tool kit and its command-and-communication activity.
