Decoy Dog is anything but an ordinary Trojan. After his discovery in April 2023, he changed his malware tactics again. The hackers took measures to maintain access to already compromised devices. The attacker can be safely defeated using DNS detection algorithms.
The second threat report from Infoblox on the “Decoy Dog” Trojan contains extensive updates. “Decoy Dog” is a Remote Access Trojan (RAT) that was discovered in April 2023. This malware uses the Domain Name System (DNS) to establish command-and-control (C2) communications and is suspected of being a secret tool for ongoing cyberattacks initiated by state actors.
State hackers suspected behind Decoy Dog
Threat actors responded quickly after Infoblox revealed the toolkit in April, adapting their systems to ensure continued operations. This suggests that maintaining access to victims' devices remains a high priority for attackers. According to the current analysis, the malware has also continued to spread and is now used by at least three actors.
Although Decoy Dog is based on the open source RAT Pupy, it is a fundamentally new, previously unknown malware with a variety of functions that persist on a compromised device. Many aspects of Decoy Dog remain unknown, but all signs point to it being state-run hackers. Infoblox has released a new dataset of DNS traffic collected from Infoblox servers to help the industry further investigate the C2 systems.
The hidden potential of DNS for security
There is a great risk that Decoy Dog will spread further. The malware takes advantage of the often missing DNS monitoring in networks. In fact, over 90% (according to the National Security Agency) of all malware programs use some form of DNS. The book "The Hidden Potential of DNS in Security" covers everything security professionals should know about DNS - from lookalike domains, domain generated algorithms (DGAs), DNS tunneling, data exfiltration via DNS, the reasons why hackers use DNS to to defend against these attacks. A copy of the book is available on Amazon.
More at Infoblox.com
About Infoblox
Infoblox combines network management and security, ensuring exceptional performance and optimal protection. Both Fortune 100 companies and emerging young companies value Infoblox for real-time visibility and control over who and what is connecting to their network. This allows companies to work faster and stop threats sooner.