Shift in Malware Tactics After Initial Discovery


Infoblox has published a second threat report with critical updates on “Decoy Dog,” the remote access trojan (RAT) toolkit they discovered and disclosed in April 2023.

The malware uses DNS to establish command and control (C2) and is suspected as a secret tool used in ongoing nation-state cyber attacks.

The threat actors swiftly responded following Infoblox’s disclosure of the toolkit, adapting their systems to ensure continued operations, indicating that maintaining access to victim devices remains a high priority.

The analysis shows that the use of the malware has spread, with at least three actors now operating it.

Although based on the open-source RAT Pupy, Decoy Dog is a fundamentally new, previously unknown, malware with many features to persist on a compromised device.

Many aspects of Decoy Dog remain a mystery, but all signs point to nation-state hackers. Infoblox released a new data set containing DNS traffic captured from Infoblox’s servers to support further industry investigation of the C2 systems.

The question many in the industry continue to silently ask is: Are we really securing our network if we’re not monitoring our DNS?

There is a significant risk that Decoy Dog and its use will continue to grow and impact organizations globally.

Currently, the only known means to detect and defend against Decoy Dog/Pupy today is with DNS Detection and Response systems like Infoblox’s BloxOne® Threat Defense.

“It’s intuitive that DNS should be the first line of defense for organizations to detect and mitigate threats like Decoy Dog.

Infoblox is the industry’s best-of-breed DNS Detection and Response solution, providing companies with a turn-key defense that other XDR solutions would miss,” said Scott Harrell, Infoblox President and CEO. “As demonstrated with Decoy Dog, studying and deeply understanding the attacker’s tactics and techniques allows us to block threats before they are even known as malware.”

Through large-scale DNS analysis, Infoblox has learned key features of the malware and the actors who operate it.

Directly following the first announcement on social media, every Decoy Dog threat actor responded to Infoblox’s disclosures in different ways.

Some of the name servers mentioned in Infoblox’s April 2023 report were taken down, while others migrated their victims to new servers.

Despite their efforts to hide, Infoblox has continued to track the activities and has since learned a great deal more about them.

Infoblox has been able to infer the nature of some communications, and estimates that the number of compromised devices is relatively small.

Infoblox has also been able to distinguish Decoy Dog from Pupy and determine that Decoy Dog has a full suite of powerful, previously unknown capabilities, including the ability to move victims to another controller, allowing them to maintain communication with compromised machines and remain hidden for long periods of time.

Some victims have actively communicated with a Decoy Dog server for over a year.

“The lack of insight into underlying victim systems and vulnerabilities being exploited makes Decoy Dog an ongoing and serious threat,” said Dr. Renée Burton, Head of Threat Intelligence at Infoblox. “The best defense against this malware is DNS. Malicious activity often goes unnoticed because DNS is undervalued as a critical component in the security ecosystem. Only enterprises with a strong protective DNS strategy can protect themselves from these types of hidden threats.”

In total, Infoblox is currently monitoring 20 Decoy Dog domains, some of which were registered and deployed within the last month.

This toolkit exploits an inherent weakness of the malware-centric intelligence ecosystem that dominates the security industry today.

Furthermore, this malware was discovered solely because of DNS threat detection algorithms.

Organizations best defense against these attacks is protection at the DNS level, within every network.

“We urge the industry to take this research forward, further investigate and share their findings,” added Harrell.

You can read the full report here.