Infoblox Inc., the provider of a simplified, cloud-enabled networking and security platform, made a striking revelation with the release of its second threat report. The report provides critical updates on “Decoy Dog,” a highly sophisticated remote access trojan (RAT) toolkit initially discovered and disclosed by the company in April 2023. This malware utilizes DNS for establishing command and control (C2) and is believed to be a clandestine weapon wielded in ongoing nation-state cyber attacks.
Following Infoblox’s disclosure of the toolkit, the threat actors behind Decoy Dog acted swiftly, adapting their systems to ensure uninterrupted operations. This response underscores the attackers’ emphasis on maintaining access to compromised devices as a top priority. The analysis indicates that the malware’s usage has expanded, with at least three different actors now employing it. Although Decoy Dog is based on the open-source RAT Pupy, it represents a fundamentally new, previously unknown malware with numerous features that enable it to persist on compromised devices. While many aspects of Decoy Dog remain shrouded in mystery, all signs point to nation-state hackers being the orchestrators. In a move to support further investigation by the industry into the C2 systems, Infoblox has released a new dataset containing DNS traffic captured from its servers.
A pressing question within the industry is whether networks are truly secure if DNS monitoring is not in place. The risk of Decoy Dog and its impact on organizations worldwide is significant and growing. Presently, the only known effective means to detect and defend against Decoy Dog/Pupy is through DNS Detection and Response systems like Infoblox’s BloxOne® Threat Defense.
Scott Harrell, President and CEO of Infoblox, emphasized the importance of DNS as the first line of defense against threats like Decoy Dog. He stated, “Infoblox offers the industry’s top-tier DNS Detection and Response solution, providing companies with a comprehensive defense that other XDR solutions would overlook. Studying and deeply understanding the attacker’s tactics and techniques empowers us to thwart threats even before they are formally recognized as malware.”
By conducting extensive DNS analysis, Infoblox has gained valuable insights into the malware’s key features and the actors behind it. Following the initial disclosure on social media, each Decoy Dog threat actor responded in distinct ways. Some name servers mentioned in Infoblox’s April 2023 report were taken down, while others shifted their victims to new servers. However, Infoblox has continued to track their activities and has acquired significant knowledge about them. The nature of some communications has been inferred, and it appears that the number of compromised devices remains relatively small. Infoblox has successfully distinguished Decoy Dog from Pupy and identified the former’s array of potent, previously undisclosed capabilities, such as the ability to move victims to another controller, enabling sustained communication with compromised machines while remaining concealed for prolonged periods. Astonishingly, some victims have been actively communicating with a Decoy Dog server for over a year.
Dr. Renée Burton, Head of Threat Intelligence at Infoblox, warned about the ongoing and serious threat posed by Decoy Dog due to the lack of insight into the underlying victim systems and the vulnerabilities exploited. DNS, she asserted, is undervalued as a critical component in the security ecosystem, and enterprises with a robust protective DNS strategy are best equipped to shield themselves from such hidden threats.
Presently, Infoblox is closely monitoring 20 Decoy Dog domains, several of which were registered and deployed within the last month. This toolkit expertly exploits the inherent weakness of the malware-centric intelligence ecosystem that currently dominates the security industry. Moreover, Decoy Dog’s discovery was solely possible through DNS threat detection algorithms. To fend off these attacks, organizations must prioritize protection at the DNS level within their networks. Infoblox’s BloxOne® Threat Defense customers remain safeguarded from Decoy Dog and other known malicious threat actors.
Infoblox urges the industry to advance this research, delve deeper into the subject, and share their findings.
Real-Life Insight into Pupy at BlackHat: Dr. Renée Burton will present a detailed analysis titled “Decoy Dog is No Ordinary Pupy” at the Black Hat cybersecurity conference in Las Vegas on Wednesday, August 9, from 1:15 pm to 1:35 pm PT. Throughout the event, attendees will have the opportunity to engage with Infoblox researchers and demonstrate their skills through a series of hands-on challenges using a live Pupy controller via Infoblox’s Double Dog Dare experience. Additional brief introductions to Decoy Dog and Pupy will also take place at the booth theater on both days. This unique experience will allow participants to witness firsthand how DNS traffic facilitates communication between the client and server, enhancing their understanding of the severe threat posed by this malware.
Unveiling the Hidden Potential of DNS in Security: Decoy Dog and Pupy capitalize on the lack of DNS oversight often found in networks. Astonishingly, over 90% of all malware exploits DNS in some manner. Recognizing the imperative for security professionals to understand how malware manipulates DNS and how DNS Detection and Response can effectively thwart such attacks, experts in the field have recently released a new book titled “The Hidden Potential of DNS in Security.” This comprehensive guide covers everything readers need to know about lookalike domains, domain-generated algorithms (DGAs), DNS tunneling, data exfiltration over DNS, the motivations behind hackers’ use of DNS, and effective defense strategies against these attacks. The book is available for purchase on Amazon.
