Cybersecurity researchers have discovered a new malware toolkit named Decoy Dog after analyzing over 70 billion DNS records. Decoy Dog is a sophisticated toolkit that uses techniques like domain aging, when a domain is registered but not used for some time, and DNS query dribbling to evade detection. While the malware’s usage in the wild is “very rare,” its atypical characteristics allow it to map additional domains that are part of the attack infrastructure. The operation was set up at least a year before its discovery, with three distinct infrastructure configurations detected so far.
The malware’s primary component is a remote access trojan (RAT) called Pupy, an open-source post-exploitation toolkit popular among state-sponsored threat actors. It executes commands remotely, elevates privileges, steals credentials, and spreads through a network laterally. Pupy is a potent and hazardous RAT that poses a significant threat due to its fileless nature and encrypted slow Command-and-Control (C2) communications. Pupy can evade detection by EDR solutions, making rooting out within a network difficult. Notably, Pupy is one of the few RATs that can operate across multiple platforms, including Linux and mobile devices, via an outdated version of Python.
According to the report, the Decoy Dog toolkit featuring Pupy was detected in less than 3% of all networks, and only 18 domains have been linked to the toolkit. Additionally, most of the toolkit’s C2 infrastructure was found to be hosted in Russia. Cybersecurity researchers recommend that organizations block these domains: claudfront[.]net, allowlisted[.]net, atlas-upd[.]com, ads-tm-glb[.]click, cbox4[.]ignorelist[.]com, and hsdps[.]cc. Other recommended security mitigations are keeping systems and software up to date, implementing multi-factor authentication, conducting regular security awareness training, and employing a comprehensive incident response plan. Further information regarding this discovery is anticipated to be released in the future.