Mysterious Decoy Dog malware toolkit still lurks in DNS shadows

New details have emerged about Decoy Dog, a largely undetected sophisticated toolkit likely used for at least a year in cyber intelligence operations, relying on the domain name system (DNS) for command and control activity.

It is unclear who is behind the malware but researchers at DNS-focused security vendor Infoblox believe that four actors are wielding and developing it for highly-targeted operations.

Observed activity is limited to the Russian and Eastern Europe space and appears to be related to Russia’s invasion of Ukraine.

Decoy Dog activity marches on

While Infoblox only analyzed DecoyDog's DNS and network traffic, as it is based on Pupy, it likely has the ability to download malware payloads on infected devices and execute commands sent by the attackers.

Decoy Dog was discovered in early April after Infoblox specialists found anomalous DNS beaconing activity from half a dozen domains that acted as command and control (C2) servers for the malware:

• cbox4[.]ignorelist[.]com
• claudfront[.]net
• hsdps[.]cc
• ads-tm-glb[.]click
• atlas-upd[.]com
• allowlisted[.]net

At the time, the researchers said that they “found the identical DNS query patterns arising from enterprise networks, which could not be tied to consumer devices” and “confirmed that the queries originated from network appliances in a very limited number of customer networks.”

Whoever operates the toolkit did not cease activity after Infoblox announced their discovery and published a technical analysis showing that Decoy Dog was heavily based on the Pupy open-source post-exploitation remote access trojan (RAT).

New Infoblox research published today reveals that “Decoy Dog is a major upgrade from Pupy that uses commands and configurations that are not in the public repo.”

Some of the differences observed include:

• Decoy Dog uses Python 3.8 while Pupy was written in Python 2.7. Decoy Dog requires Python 3.8
• numerous improvements including Windows compatibility and better memory operations
• Decoy Dog significantly expands the communications vocabulary in Pupy by adding multiple communications modules
• Decoy Dog responds to replays of previous DNS queries where Pupy does not.
• unlike Pupy, Decoy Dog responds to wildcard DNS requests, which doubles the number of resolutions seen in passive DNS.
• Decoy Dog responds to DNS requests that don’t match the structure of valid communication with a client.
• Decoy Dog adds the ability to run arbitrary Java code by injecting it into a JVM thread and adds methods to maintain persistence on a victim device.

Infoblox initially distinguished three Decoy Dog operators, who responded differently following the company’s disclosure in April. A fourth one was discovered after the researchers finished the current Infoblox report.

Activity from cbox4[.]ignorelist[.]com ceased, while hsdps[.]cc and ads-tmglb[.]click transferred clients to new domains.

However, Infoblox did not see an operational change with claudfront[.]net and allowlisted[.]net. The former has increased activity dramatically in February this year by transferring clients to newly registered controllers.

Renée Burton, head of threat intelligence at Infoblox, told BleepingComputer that the operators of the hsdps[.]cc and ads-tm-glb[.]clic domains were able to “hot swap” clients to a different controller, meaning that the switch was done in memory.

The current count of Decoy Dog nameservers, controllers, and domains is now closer to two dozen, Burton told us. A list of several domains the toolkit uses is available below.

Highly targeted malware with short list of victims

Based on passive DNS traffic analysis, it is difficult to determine an accurate number of Data Dog clients, which would indicate impacted devices, but the largest number of active concurrent connections that Infoblox observed on any one controller was less than 50 and the smallest was four.

Burton estimates that the current number of compromised devices would be less than a few hundred, indicating a very small set of targets, typical of an intelligence operation.

Some of the changes one Decoy Dog operator made after Infoblox’s disclosure was to add a geofencing mechanism that limits responses from controller domains to DNS queries from IP addresses in specific regions.

Although this may imply that the victims are in Russia, the actor could also have chosen to route victim traffic through the region as a decoy or to limit the queries to relevant ones.

Burton leans towards the first supposition, explaining that Decoy Dog behaves like Pupy and uses the default recursive resolver to connect to DNS. Because changing this system in modern networks is “fairly challenging,” the researcher says, it is likely that “those controllers have victims in Russia or adjacent countries (which might also route data through Russia).”

TTPs point to multiple actors

Infoblox distinguishes between the four actors operating Decoy Dog based on the observed tactics, techniques, and procedures (TTPs). However, it appears that they all respond to queries that match the right format for Decoy Dog or Pupy.

Burton noted that this is bizarre behavior that could be by design but even with her vast experience as a cryptographer, intel person, and data scientist, she can’t pin it down to a specific reason.

If the theory of multiple actors handling Decoy Dog is true, there may be two development groups that improved the toolkit with new functionality.

According to Burton, one of the four groups has the most advanced Decoy Dog version seen in public repositories, whose clients connect to the controller claudfront[.]net.

One controller from this group, Burton told BleepingComputer, is maxpatrol[.]net but no connections were seen for it. This may suggest a lookalike of the vulnerability and compliance management system from Positive Technologies, a Russian cybersecurity company that has been sanctioned by the U.S. in 2021 for trafficking of hacking tools and exploits used by state-sponsored hacking groups.

Infoblox notes that newer versions of the toolkit come with a domain generation algorithm (DGA) acting as an emergency module to allow compromised machines to use a third-party DNS server if the malware can’t communicate with its C2 server for an extended period.

Extensive persistence mechanisms are available starting Decoy Dog client version 3, pointing to an intelligence operation rather than a financially-driven one or a red team.

Decoy Dog's scope still a mystery

At the moment, Decoy Dog operations remain a mystery as far as their purpose and handlers go. Infoblox has done its part in uncovering the toolkit using DNS data from its systems and bringing it to the attention of the infosec community.

However, additional research is required to determine the targets, the initial compromise method (e.g. supply chain, known vulnerability, zero-day in targeted devices), and how actors move into the network. 

Although Infoblox received the support of the infosec community (from major intel vendors, government agencies, threat research groups, and financial organizations), detections for the malware or its full scope have not been disclosed publicly.

Infoblox recommends defenders consider that IP addresses in both Decoy Dog and Pupy represent encrypted data, not real addresses used for communication.

They should also focus on the DNS queries and responses as they can help with tracking the malware activity. One caveat is that the communication volume is low and a large log history is needed to track the communication.

The company also created a YARA rule that can detect Decoy Dog samples the researchers observed since July and distinguish the toolkit from the public version of Pupy.