Chris Swagler | May 5th, 2023

After reviewing unusual DNS traffic that differed from normal internet activity, a new enterprise-targeting malware toolkit called “Decoy Dog” was uncovered. Decoy Dog assists threat actors in avoiding normal detection methods through strategic domain aging and DNS query dribbling, with the goal of establishing a good reputation with security providers before transitioning to supporting cybercriminal operations. Security researchers discovered the toolkit in early April 2023 as part of their daily scanning of over 70 billion DNS records for signals of abnormal or suspicious behavior. Decoy Dog’s DNS fingerprint is extremely rare and unique among the internet’s 370 million active domains, making it easier to identify and follow. The investigation into Decoy Dog’s infrastructure swiftly led to the discovery of numerous C2 (command and control) domains connected to the same operations with most of the communications from the servers coming from hosts in Russia. Additional investigation indicated that the DNS tunnels on the domains exhibited features pointing to Pupy RAT, a remote access trojan distributed by the Decoy Dog toolkit. 

Pupy RAT, a modular open-source post-exploitation toolkit, is popular among state-sponsored threat actors due to its stealth (fileless) nature, support for encrypted C2 communications, and ability to blend their activities with other tool users. Payloads in all major operating systems, including Windows, macOS, Linux, and Android, are supported by the Pupy RAT projects. It, like other RATs, enables threat actors to remotely execute commands, elevate privileges, steal credentials, and spread laterally across networks. Less skilled threat actors don’t utilize Pupy RAT since it requires knowledge and skills to deploy the tool with the correct DNS server configuration for C2 communications. The multiple-part (DNS) signature is an indication that the correlated domains were not only using Pupy, but all were part of Decoy Dog, a large, single toolkit that deployed Pupy in a specific manner on enterprise or large company, non-consumer, devices.

Additionally, the analysts observed a specific DNS beaconing behavior on all Decoy Dog domains that are configured to follow a generated specific pattern of periodic, but infrequent DNS requests. Investigations into the hosting and domain registration records revealed that the Decoy Dog operation had been running since early April 2022, allowing it to remain undetected for over a year despite the toolkit’s domains displaying extreme outliers in analytics. Decoy Dog highlights the power of applying large-scale analytics to uncover abnormal behavior in the expanse of the internet. Decoy Dog’s domains were mentioned in the cybersecurity research and added to its “Suspicious Domains” list to assist defenders, security analysts, and targeted companies in protecting against this sophisticated attack. Several seemingly unrelated domains were using the same rare toolkit due to the discovery of Decoy Dog, which resulted in a combination of automatic and human processes. With the situation being complex and focused on the DNS components of the findings, more information will be provided by the industry. The company provided indicators of compromise on its public GitHub repository, which can be manually added to blocklists.

With ransomware groups and threat actors looking to utilize new malware toolkits to breach data networks, it’s important for companies to remain vigilant of the current threat landscape and regularize their DNS security infrastructure. At SpearTip, our certified engineers are continuously working 24/7/365 at our Security Operations Center monitoring companies’ networks for potential malware and ready to respond to incidents at a moment’s notice. Our remediation experts focus on restoring companies’ operations, isolating malware to reclaim their networks and recover business-critical assets. Our pre-breach advisory services allow our engineers to examine companies’ security posture to improve the weak point in their networks. Our team engages with companies’ people, processes, and technology to measure the maturity of the technical environment. For all the vulnerabilities we uncover, our experts provide technical roadmaps ensuring companies have the awareness and support to optimize their overall cybersecurity posture.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.

Stay Connected With SpearTip

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.