Infoblox Inc., which provides a simplified, cloud-enabled networking and security platform for enhanced performance and protection, has published a threat report blog on a remote access trojan (RAT) toolkit with DNS command and control (C2). The toolkit generated an anomalous DNS signature that was observed in enterprise networks across the United States, Europe, South America, and Asia in the technology, healthcare, energy, financial, and other sectors. Some of these communications are routed to a Russian controller.
Infoblox’s Threat Intelligence Group was the first to discover this toolkit, dubbed “Decoy Dog,” and is working with other security vendors and customers to disrupt this activity, identify the attack vector, and secure global networks. The critical insight is that DNS anomalies measured over time not only revealed the RAT, but also eventually linked seemingly unrelated C2 communications.
“Decoy Dog is a stark reminder of the importance of having a strong, protective DNS strategy,” said Renée Burton, Senior Director of Threat Intelligence for Infoblox. “Infoblox is focused on detecting threats in DNS, disrupting attacks before they start, and allowing customers to focus on their own business.”
As a specialized DNS-based security vendor, Infoblox tracks adversary infrastructure and can see suspicious activity early in the threat lifecycle, where there is “intent to compromise” and before the actual attack starts. As a normal course of business, any indicators that are deemed suspicious are included in Infoblox’s Suspicious domain feeds, direct to customers, to help them preemptively protect themselves against new and emerging threats.
“While we automatically detect thousands of suspicious domains every day at the DNS level – and with this level of correlation, it’s rare to discover these activities all originating from the same toolkit leveraging DNS for command-and-control,” added Burton.
The Infoblox team is working around the clock to understand the DNS activity. Complex problems like this one highlight the need for an industry-wide intelligence-in-depth strategy where everyone contributes to understanding the entire scope of a threat.