Infoblox uncovers DNS Malware Toolkit & urges companies to block malicious domains

Infoblox Inc., which provides a simplified, cloud-enabled networking and security platform for enhanced performance and protection, has published a threat report blog on a remote access trojan (RAT) toolkit with DNS command and control (C2). The toolkit generated an anomalous DNS signature that was observed in enterprise networks across the United States, Europe, South America, and Asia in the technology, healthcare, energy, financial, and other sectors. Some of these communications are routed to a Russian controller.

Infoblox’s Threat Intelligence Group was the first to discover this toolkit, dubbed “Decoy Dog,” and is working with other security vendors and customers to disrupt this activity, identify the attack vector, and secure global networks. The critical insight is that DNS anomalies measured over time not only revealed the RAT, but also eventually linked seemingly unrelated C2 communications.

“Decoy Dog is a stark reminder of the importance of having a strong, protective DNS strategy,” said Renée Burton, Senior Director of Threat Intelligence for Infoblox. “Infoblox is focused on detecting threats in DNS, disrupting attacks before they start, and allowing customers to focus on their own business.”

As a specialized DNS-based security vendor, Infoblox tracks adversary infrastructure and can see suspicious activity early in the threat lifecycle, where there is “intent to compromise” and before the actual attack starts. As a normal course of business, any indicators that are deemed suspicious are included in Infoblox’s Suspicious domain feeds, direct to customers, to help them preemptively protect themselves against new and emerging threats.

Threat Discovery, Anatomy & Mitigation:

• Infoblox discovered activity from the remote access trojan (RAT) Pupy active in multiple enterprise networks in early April 2023. This C2 communication went undiscovered since April 2022.
• The RAT was detected from anomalous DNS activity on limited networks and in network devices such as firewalls; not user devices such as laptops or mobile devices.
• The RAT creates a footprint in DNS that is extremely hard to detect in isolation but, when analyzed in a global cloud-based protective DNS system like Infoblox’s BloxOne® Threat Defense, demonstrates strong outlier behavior. Further it allowed Infoblox to tie the disparate domains together.
• C2 communications are made over DNS and are based on an open-source RAT called Pupy. While this is an open-source project, it has been consistently associated with nation-state actors.
• Organizations with protective DNS can mitigate their risk. BloxOne Threat Defense customers are protected from these suspicious domains.
• In this case, Russian C2 domains were already included in the Suspicious domains feeds in BloxOne Threat Defense (Advanced) back in the fall of 2022. In addition to the Suspicious Domains feed, these domains have now been added to Infoblox’s anti-malware feed.
• Infoblox continues to urge organizations to block the following domains:
  • claudfront[.]net
  • allowlisted[.]net
  • atlas-upd[.]com
  • ads-tm-glb[.]click
  • cbox4[.]ignorelist[.]com
  • hsdps[.]cc

“While we automatically detect thousands of suspicious domains every day at the DNS level – and with this level of correlation, it’s rare to discover these activities all originating from the same toolkit leveraging DNS for command-and-control,” added Burton.

The Infoblox team is working around the clock to understand the DNS activity. Complex problems like this one highlight the need for an industry-wide intelligence-in-depth strategy where everyone contributes to understanding the entire scope of a threat.