- Infoblox discovers that open-source software Pupy is a smokescreen for the real capabilities of Decoy Dog – highlighting the critical need for DNS security
- As result of initial Decoy Dog publication, threat actors took action to maintain access to already compromised devices
- Infoblox continues to monitor the situation, reverse engineers the threat, and builds sophisticated DNS detection algorithms to mitigate additional hidden threats
- Infoblox’s Head of Threat Intelligence, Dr. Renée Burton, presents exclusive insights on why Decoy Dog is No Ordinary Pupy at Black Hat in Las Vegas on August 9
Infoblox Inc., has published a second threat report with critical updates on “Decoy Dog,” the remote access trojan (RAT) toolkit they discovered and disclosed in April 2023. The malware uses DNS to establish command and control (C2) and is suspected as a secret tool used in ongoing nation-state cyber attacks.
The threat actors swiftly responded following Infoblox’s disclosure of the toolkit, adapting their systems to ensure continued operations, indicating that maintaining access to victim devices remains a high priority. The analysis shows that the use of the malware has spread, with at least three actors now operating it. Although based on the open-source RAT Pupy, Decoy Dog is a fundamentally new, previously unknown, malware with many features to persist on a compromised device.
Many aspects of Decoy Dog remain a mystery, but all signs point to nation-state hackers. Infoblox released a new data set containing DNS traffic captured from Infoblox’s servers to support further industry investigation of the C2 systems.
The question many in the industry continue to silently ask is: Are we really securing our network if we’re not monitoring our DNS? There is a significant risk that Decoy Dog and its use will continue to grow and impact organizations globally. Currently, the only known means to detect and defend against Decoy Dog/Pupy today is with DNS Detection and Response systems like Infoblox’s BloxOne® Threat Defense.
“It’s intuitive that DNS should be the first line of defense for organizations to detect and mitigate threats like Decoy Dog. Infoblox is the industry’s best-of-breed DNS Detection and Response solution, providing companies with a turn-key defense that other XDR solutions would miss,” said Scott Harrell, Infoblox President and CEO. “As demonstrated with Decoy Dog, studying and deeply understanding the attacker’s tactics and techniques allows us to block threats before they are even known as malware.”
Through large-scale DNS analysis, Infoblox has learned key features of the malware and the actors who operate it. Directly following the first announcement on social media, every Decoy Dog threat actor responded to Infoblox’s disclosures in different ways. Some of the name servers mentioned in Infoblox’s April 2023 report were taken down, while others migrated their victims to new servers.
Despite their efforts to hide, Infoblox has continued to track the activities and has since learned a great deal more about them. Infoblox has been able to infer the nature of some communications, and estimates that the number of compromised devices is relatively small. Infoblox has also been able to distinguish Decoy Dog from Pupy and determine that Decoy Dog has a full suite of powerful, previously unknown capabilities, including the ability to move victims to another controller, allowing them to maintain communication with compromised machines and remain hidden for long periods of time. Some victims have actively communicated with a Decoy Dog server for over a year.
“The lack of insight into underlying victim systems and vulnerabilities being exploited makes Decoy Dog an ongoing and serious threat,” said Dr. Renée Burton, Head of Threat Intelligence at Infoblox. “The best defense against this malware is DNS. Malicious activity often goes unnoticed because DNS is undervalued as a critical component in the security ecosystem. Only enterprises with a strong protective DNS strategy can protect themselves from these types of hidden threats.”
Infoblox actively monitors 20 Decoy Dog domains, including some recently registered and deployed within the last month. This toolkit exploits a weakness in the security industry’s malware-centric intelligence. Importantly, DNS threat detection algorithms were the sole method for uncovering this malware. To best defend against such attacks, organizations need DNS-level protection within their networks. Infoblox’s BloxOne® Threat Defense keeps its customers safe from Decoy Dog and these known malicious actors
“We urge the industry to take this research forward, further investigate and share their findings,” added Harrell.
Hands-On, Real-Life Experience of Pupy at BlackHat: Dr. Renée Burton will be discussing why “Decoy Dog is No Ordinary Pupy” in detail, along with other key findings at Black Hat cybersecurity conference in Las Vegas on Wednesday, August 9 from 1:15 pm-1:35 pm PT. Throughout the conference, attendees will be able to meet with Infoblox researchers and demonstrate their skills with a series of hands-on challenges using a live Pupy controller via Infoblox’s Double Dog Dare experience. The booth theater will offer additional short introductions to Decoy Dog and Pupy throughout the conference. This unique experience lets participants witness firsthand how DNS traffic relays communication between client and server, providing a deeper understanding of this serious malware threat.
The Hidden Potential of DNS in Security: Decoy Dog and Pupy take advantage of the lack of DNS oversight that often occurs in networks. In fact, over 90% of all malware uses DNS in some way. Infoblox knows it’s imperative that security professionals understand the ways in which malware exploits DNS and how DNS Detection and Response can often thwart these attacks. Experts in the field recently released a new book titled “The Hidden Potential of DNS in Security.”
This book gives readers everything they need to know about lookalike domains, domain generated algorithms (DGAs), DNS tunneling, data exfiltration over DNS, why hackers use DNS, and how to defend against these attacks. A copy of the book is available at Amazon. Visit Infoblox at Black Hat in Las Vegas at Booth #1286 on August 9-10 to meet the team of experts to learn more about Decoy Dog/Pupy.
