Researchers at Infoblox have uncovered new details about Decoy Dog, a highly sophisticated and largely undetected toolkit likely used for cyber intelligence operations, relying on the domain name system (DNS) for command and control activity.
While the malware’s origin remains unclear, Infoblox believes that four actors are involved in wielding and developing the toolkit for highly-targeted operations. The observed activity is mainly limited to the Russian and Eastern European regions, possibly linked to Russia’s invasion of Ukraine.
Decoy Dog, discovered in early April, has been operating largely undetected for at least a year, and it is suspected to have been used in cyber intelligence operations.
While Infoblox has only analyzed its DNS and network traffic, the toolkit is believed to be capable of downloading malware payloads and executing commands sent by attackers. Infoblox identified six command and control servers used by the malware, but the operators did not halt activity even after the discovery was disclosed. The researchers revealed that Decoy Dog is an advanced upgrade from Pupy, introducing several improvements and expansions, including the use of Python 3.8 and enhanced communications vocabulary.
Infoblox has distinguished four operators behind Decoy Dog based on their responses and tactics, techniques, and procedures (TTPs). The malware’s use of DNS for communication makes it challenging to determine the exact number of victims, with the largest observed concurrent connections on a controller being less than 50 and the smallest four.
Infoblox speculates that the number of compromised devices is likely less than a few hundred, suggesting a highly targeted intelligence operation. The toolkit’s full scope and purpose remain a mystery, requiring further research to uncover targets, initial compromise methods, and actor movement within the network. Infoblox has developed a YARA rule to detect Decoy Dog samples and distinguish them from the public version of Pupy.