Infoblox has unveiled crucial updates on the “Decoy Dog” remote access trojan (RAT) toolkit in a new threat report published today.
Initially discovered and disclosed in April 2023, Decoy Dog has proven to be more sophisticated than previously thought, using DNS for command-and-control (C2) and is suspected to be employed in ongoing nation-state cyber-attacks.
Following Infoblox’s disclosure of the toolkit, threat actors responded swiftly, adapting their systems to maintain access to compromised devices.
The malware has also expanded its reach, with at least three different actors now operating it. Though based on the open-source RAT Pupy, Decoy Dog is a new and previously unknown malware with advanced capabilities to persist on compromised devices.
The malware can now move victims to different controllers, maintaining communication with compromised machines for extended periods. Some victims have remained in contact with a Decoy Dog server for over a year.
“It’s intuitive that DNS should be the first line of defense for organizations to detect and mitigate threats like Decoy Dog,” said Scott Harrell, Infoblox president and CEO.
“As demonstrated with Decoy Dog, studying and deeply understanding the attacker’s tactics and techniques allows us to block threats before they are even known as malware.”
To support further investigation of the malware’s C2 systems, Infoblox has released a new dataset containing DNS traffic captured from their servers.
“The lack of insight into underlying victim systems and vulnerabilities being exploited makes Decoy Dog an ongoing and serious threat,” explained Dr. Renée Burton, head of threat intelligence at Infoblox.
“The best defense against this malware is DNS. Malicious activity often goes unnoticed because DNS is undervalued as a critical component in the security ecosystem. Only enterprises with a strong protective DNS strategy can protect themselves from these types of hidden threats.” Burton added.
The executive will present exclusive insights in a talk, “Decoy Dog is No Ordinary Pupy,” at the Black Hat cybersecurity conference in Las Vegas on August 9.
Infoblox researchers will also provide hands-on challenges using a live Pupy controller at their booth, demonstrating how DNS traffic is exploited to relay communications between clients and servers.