Decoy Dog sniffs out enterprise networks to target
A malware toolkit dubbed 'Decoy Dog' has command-and-control (C2) propagated to a Russian IP and is selectively targeting organizations worldwide -- and going undetected.
The Infoblox Threat Intelligence Group is the first to discover Decoy Dog and the company is collaborating with other companies in the security industry, as well as customers, to identify and disrupt this activity.
Decoy Dog's activity operates at the DNS level, using a small amount of data queries in a large pool of DNS data making it extremely hard to detect. The activity is consistent with a nation state advanced persistent threat (APT) actor.
Decoy Dog C2 communications are made over DNS and are based on an open source RAT called Pupy. While this is an open source project, it has been consistently associated with nation state actors. Active C2 communications have been identified in the US, Europe, South America, and Asia in the technology, healthcare, energy, financial and other sectors.
Organizations with protective DNS should block the following domains immediately to reduce their risk while they continue to investigate further.
- claudfront[.]net
- allowlisted[.]net
- atlas-upd[.]com
- ads-tm-glb[.]click
- cbox4[.]ignorelist[.]com
- hsdps[.]cc
Later this week Infoblox will publish more specific details about the Decoy Dog toolkit and the importance of a protective DNS strategy.