HQ/EMEAFind out how we can help your business
A sophisticated variant of the Decoy Dog malware, designed for Windows, is being used in a wave of cyberattacks on Russian companies. Researchers have detected these instances as a part of “Operation Lahat,” which they link to the HellHounds advanced persistent threat (APT) group.
HellHounds has a prominent track record of stealthily infiltrating targeted organisations and staying there for extended periods. They execute this by taking advantage of web service vulnerabilities and trustworthy connections within the compromised networks. Following an unidentified power company’s falling prey to the Decoy Dog trojan, security researchers initially reported the HellHounds’ operations in November 2023.
HellHounds has since breached 48 Russian institutions, including telecom providers, IT corporations, government agencies, and space industry businesses. Given that malware development for HellHounds dates back to November 2019, it appears that the group has been targeting Russian organisations at least since 2021.
Decoy Dog malware excels in maintaining remote control and avoiding detection by switching between controllers.
Decoy Dog is a modified version of the open-source Pupy RAT that communicates with its command-and-control (C2) servers via DNS tunnelling, allowing for remote control of compromised systems. The malware’s capacity to switch between controllers to maintain constant connection and avoid detection is one of its main features.
When the Decoy Dog malware attacks first started, they were mostly limited to Linux computers in Eastern Europe and Russia. The Windows version, however, was later confirmed, despite hints made in July 2023 by a cybersecurity company. A loader that utilises a particular infrastructure to acquire the key needed to decrypt the payload delivers the Windows version.
After more investigation, it was discovered that HellHounds uses a modified version of 3snake, another open-source program, to obtain login credentials on Linux systems. At least twice, contractors’ Secure Shell (SSH) log in credentials were obtained, giving attackers early access.
The group’s capacity to maintain a sustained presence within crucial organisations was brought to light by security researchers. HellHounds successfully alters open-source tools to bypass malware defences, even though they mostly rely on them, guaranteeing extended covert operations.
Strong cybersecurity protections are essential, especially for companies operating in high-risk industries, as demonstrated by the ongoing threat posed by HellHounds. Vigilance and proactive defence methods are critical to countering the group’s sophisticated attacks as it continues to evolve and improve its tools.
