Infoblox researchers have discovered a new malware toolkit, called Decoy Dog, that is targeting enterprise networks. The malware uses a range of techniques to avoid detection, including registering a domain but not using it for some time, and DNS query dribbling.
However, Decoy Dog also employs a number of highly unusual characteristics, which make it easier to identify on a DNS level.
These include a reliance on the open-source malware tool Pupy, and a unique DNS signature that matches less than 0.0000027% of the 370 million active domains on the internet.
The Decoy Dog toolkit is used by threat actors to target enterprise networks, and was appreciated and used by nation-state actors such as the China-linked APT group Earth Berberoka. Decoy Dog domains exhibit a pattern of periodic, but infrequent, DNS requests that makes them difficult to detect without a preventative DNS solution.
Infoblox recommends that organizations add the indicators of compromise included in its report to their blocklists manually or via the GitHub repository infobloxopen:threat-intelligence.
According to the report, global security industry collaboration is necessary to understand the full end-to-end story of Decoy Dog and the C2 activity. Organizations with protective DNS are able to block these domains immediately, mitigating their risk while they continue to investigate further.
Infoblox researchers say that their discovery highlights the importance of monitoring DNS traffic to identify threats and protect against cyber attacks.
