A novel malware toolkit, “Decoy Dog” has been helping threat actors evade standard detection methods through strategic domain ageing and DNS query dribbling. The entire process hinges on gaining a good reputation with security vendors before initiating malicious activity.
The toolkit was discovered by Infoblox researchers in April 2023 as part of their analysis of over 70 billion DNS records daily to look for abnormalities or suspicious activities. The researchers also report that the malware’s DNS fingerprint is rather rare and unique among the internet’s 370 million active domains, making it easier to find and track.
Investigation into the malware’s infrastructure further revealed several Command and Control (C2) domains that were all linked to the same operation. Most of the traffic on these servers originated from Russian hosts. Additionally, the DNS tunnels of these domains were similar in nature to those pointed to Pupy RAT, a remote access trojan deployed by the malware toolkit.
The hosting and domain registration details revealed that the operation has been active since at least April 2022. As for its RAT, Pupy RAT is a modular, open-source, post-exploitation toolkit popular among state-sponsored threat actors for supporting C2 communications while also blending their activities with other users of the tool making it difficult to point out a specific user. That said, deploying the tool properly does require some degree of DNS server configuration knowledge and expertise.
Infoblox researchers were able to link the domains by matching their multiple-part DNS signatures which not only gave them “strong confidence” that the correlated domains were using Pupy RAT but also that they were all part of Decoy Dog — a large toolkit that deployed Pupy RAT in a very specific manner on enterprise or large organisational, non-consumer devices.
The fact that the toolkit remained under the radar for over a year is surprising given its outliers in analytics. That said, researchers also discovered a distinct DNS beaconing behaviour on all Decoy Dog domains that are configured to follow a specific pattern of periodic (yet infrequent) DNS request generation. This infrequent design might very well have kept the toolkit off the radar.
Regardless, the company has shared the indicators of compromise in a public Github repository for manual addition to blocklists and has listed Decoy Dog domains in its report to help defenders and security analysts protect against the threat.