Skip to content

Novel malware toolkit discovered from analysis of 70 billion DNS queries

  • by
  • 3 min read

A novel malware toolkit, “Decoy Dog” has been helping threat actors evade standard detection methods through strategic domain ageing and DNS query dribbling. The entire process hinges on gaining a good reputation with security vendors before initiating malicious activity. 

The toolkit was discovered by Infoblox researchers in April 2023 as part of their analysis of over 70 billion DNS records daily to look for abnormalities or suspicious activities. The researchers also report that the malware’s DNS fingerprint is rather rare and unique among the internet’s 370 million active domains, making it easier to find and track. 

This is an image of decoy dog timeline
The timelines of Decoy Dog domain activity. | Source: Infoblox

Investigation into the malware’s infrastructure further revealed several Command and Control (C2) domains that were all linked to the same operation. Most of the traffic on these servers originated from Russian hosts. Additionally, the DNS tunnels of these domains were similar in nature to those pointed to Pupy RAT, a remote access trojan deployed by the malware toolkit. 

The hosting and domain registration details revealed that the operation has been active since at least April 2022. As for its RAT, Pupy RAT is a modular, open-source, post-exploitation toolkit popular among state-sponsored threat actors for supporting C2 communications while also blending their activities with other users of the tool making it difficult to point out a specific user. That said, deploying the tool properly does require some degree of DNS server configuration knowledge and expertise. 

Infoblox researchers were able to link the domains by matching their multiple-part DNS signatures which not only gave them “strong confidence” that the correlated domains were using Pupy RAT but also that they were all part of Decoy Dog — a large toolkit that deployed Pupy RAT in a very specific manner on enterprise or large organisational, non-consumer devices. 

This is an image of decoy dog pattern
Figure showing the 8×8 repeating pattern of Decoy Dog IPv4 resolution. | Source: Infoblox

The fact that the toolkit remained under the radar for over a year is surprising given its outliers in analytics. That said, researchers also discovered a distinct DNS beaconing behaviour on all Decoy Dog domains that are configured to follow a specific pattern of periodic (yet infrequent) DNS request generation. This infrequent design might very well have kept the toolkit off the radar. 

Regardless, the company has shared the indicators of compromise in a public Github repository for manual addition to blocklists and has listed Decoy Dog domains in its report to help defenders and security analysts protect against the threat. 

In the News: Data on resold corporate routers can cause network breaches

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

Related Reads

This is an image of cyber security hacked breach

Case study reveals Chinese hackers spent over 300 days in US electricity grid

This is an image of iphone with apple logo

Match Group, AIDF denied Apple’s confidential antitrust data

Photo: ascannio / shutterstock. Com

X’s outage can’t be traced by researchers and Musk alike

This is an image of malware featured security

DPRK’s KoSpy spyware targets SK, India, Russia, and Middle East

This is an image of honey featured 1

Google updates Chrome Extension policy after Honey scam

This is an image of apple featured 220923

Apple patches critical zero-day exploit targeting iPhones and iPads

>