Decoy Dog malware toolkit found after analyzing 70 billion daily DNS queries

A new enterprise-targeting malware toolkit called ‘Decoy Dog’ has been discovered after inspecting anomalous DNS traffic that is distinctive from regular internet activity.

Decoy Dog helps threat actors evade standard detection methods through strategic domain aging and DNS query dribbling, aiming to establish a good reputation with security vendors before switching to facilitating cybercrime operations.

Researchers from Infoblox discovered the toolkit in early April 2023 as part of its analysis of over 70 billion DNS records daily to look for signs of abnormal or suspicious activity.

Infoblox reports that Decoy Dog’s DNS fingerprint is extremely rare and unique among the 370 million active domains on the internet, making it easier to identify and track.

Hence, the investigation into Decoy Dog’s infrastructure quickly led to the discovery of several C2 (command and control) domains that were linked to the same operation, with most communications from these servers originating from hosts in Russia.

Further investigation revealed that the DNS tunnels on these domains had characteristics that pointed to Pupy RAT, a remote access trojan deployed by the Decoy Dog toolkit.

Pupy RAT is a modular open-source post-exploitation toolkit popular among state-sponsored threat actors for being stealthy (fileless), supporting encrypted C2 communications, and helping them blend their activities with other users of the tool.

The Pupy RAT project supports payloads in all major operating systems, including Windows, macOS, Linux, and Android. Like other RATs, it allows threat actors to execute commands remotely, elevate privileges, steal credentials, and spread laterally through a network.

Less skilled actors do not use Pupy RAT, as deploying the tool with the correct DNS server configuration for C2 communications requires knowledge and expertise.

“This multiple-part (DNS) signature gave us strong confidence that the (correlated) domains were not only using Pupy, but they were all part of Decoy Dog – a large, single toolkit that deployed Pupy in a very specific manner on enterprise or large organizational, non-consumer, devices,” Infoblox revealed in its report.

Furthermore, the analysts discovered a distinct DNS beaconing behavior on all Decoy Dog domains that are configured to follow a particular pattern of periodic but infrequent DNS request generation.

Repeating pattern of Decoy Dog IPv4 resolution
Repeating pattern of Decoy Dog IPv4 resolution (Infoblox)

Investigations of the hosting and domain registration details revealed that the Decoy Dog operation had been underway since early April 2022, so it has stayed under the radar for over a year despite the toolkit’s domains showing extreme outliers in analytics.

Timeline of Decoy Dog domain registrations
Timeline of Decoy Dog domain registrations (Infoblox)

The discovery of Decoy Dog demonstrates the power of using large-scale data analytics to detect anomalous activity in the vastness of the internet.

"Infoblox has listed Decoy Dog’s domains in its report and added them to its “Suspicious Domains” list to help defenders, security analysts, and targeted organizations protect against this sophisticated threat," explains the InfoBlox researchers.

"The discovery of Decoy Dog, and most importantly, the fact that several seemingly unrelated domains were using the same rare toolkit was a result of this combination of automatic and human processes." 

Because the situation is complex and we have been focused on the DNS aspects of the discovery, we expect more details to come from the industry, in addition to ourselves, in the future."

The company has also shared indicators of compromise on its public GitHub repository, which can be used for manual addition into blocklists.

Related Articles:

New Bifrost malware for Linux mimics VMware domain for evasion

Hackers used new Windows Defender zero-day to drop DarkMe malware

FBI seizes Warzone RAT infrastructure, arrests malware vendor

Hackers poison source code from largest Discord bot platform

TheMoon malware infects 6,000 ASUS routers in 72 hours for proxy service