A new malware threat has emerged that is specifically targeting enterprise networks. Decoy Dog, a sophisticated toolkit that includes a RAT (remote access Trojan) called Pupy, has been identified by Infoblox Threat Intelligence Group.
The toolkit has unique characteristics that make it easy to identify, including a highly unusual DNS signature that is present in less than 0.0000027% of active domains on the internet.
Decoy Dog was first detected in early April 2022, with activity initially limited to a single C2 domain, cbox4[.]ignorelist[.]com.
However, within six weeks, an additional domain with a controller in Russian IP space was visible in Infoblox networks.
It carried the same DNS signature and was a lookalike for the Amazon service CloudFront.
Further investigation revealed additional domains that had been registered and aged for varying lengths of time before being observed in global DNS or Infoblox networks.
All of these domains use the Decoy Dog toolkit, which is heavily reliant on Pupy RAT.
The toolkit has several unique characteristics that make it stand out from other malware threats, including periodic but infrequent DNS requests that make it difficult to detect without a preventative DNS solution.
Decoy Dog domains have also only been observed on enterprise networks, with zero evidence of activity on consumer devices.
The Infoblox Threat Intelligence Group found that almost none of the major security vendors had flagged Decoy Dog as suspicious or malicious, with some indicating that the domains were low risk or reputable.
This lack of intelligence tying the domains together or establishing a connection with limited enterprise environments beyond a Telegram posting was a cause for concern.
Decoy Dog appears to be establishing C2 communication channels relatively soon after domain creation, and its DNS queries have unusual characteristics that allow for flagging of domains that are believed to belong to the threat actor.
The domains resolve intermittently and at very low volumes, and they show resolution IP addresses in an unusually high number of ASNs, a behavior typical of encoded IP addresses.
The fact that Decoy Dog is specifically targeting enterprise networks, which provide critical goods and services to the world economy, has alarmed Infoblox.
The malware’s persistent and unknown low-profile communication behavior is consistent with DNS beacons, indicating that it poses a significant threat to the security of enterprise networks.