- Skip the iPad: This tablet is redefining what a kids tablet can do, and it's 42% off for Black Friday
- Why the iPad Mini 7 is the ultraportable tablet to beat this holiday travel season - and it's $50 off
- The best iPads for college: Expert tested and reviewed
- One of the best mid-range sports watches I've tested is on sale for Black Friday
- This monster 240W charger has features I've never seen on other accessories (and get $60 off this Black Friday)
Infoblox discovers rare Decoy Dog C2 exploit
Domain security firm Infoblox discovered a command-and-control exploit that, while extremely rare and complex, could be a warning growl from a new, as-yet anonymous state actor.
If you do a search for the most recent reports on Domain Name System attacks, you may have a hard time finding one since IDC’s 2021 report noting that in 2020, 87% of organizations experienced a DNS attack during 2020.
The fact that DNS isn’t front-of-mind nomenclature for many attacks that actually put DNS in the attack chain may have to do with the security alphabet soup of DNS over TLS or HTTP. As a CloudFlare report explains, TLS and HTTP encrypt plaintext DNS queries, keeping browsing secure and private.
SEE: Google’s 2FA may lack encryption, meaning unlocked doors to mobile devices
Still, Akamai’s Q3 DNS threat report noted a 40% increase in DNS attacks in that quarter last year, and 14% of all protected devices communicated with a malicious designation at least once in the third quarter last year.
Jump to:
Infoblox Threat Intelligence Group, which says it analyzes billions of DNS records and millions of domain-related records each day, has reported a new malware toolkit called Decoy Dog that uses a remote access trojan called Pupy.
Renée Burton, senior director threat intelligence at Infoblox, said Pupy is an open-source product that is very difficult to use and not well documented. Infoblox found that the Decoy Dog toolkit that uses Pupy in fewer than 3% of all networks, and that the threat actor who has control of Decoy Dog is connected to just 18 domains.
“We discovered it through our series of anomaly detectors and learned that Decoy Dog activities have been operating a data exfiltration command and control, or C2, system for over a year, starting early April 2022,” Burton said. “Nobody else knew.”
Russian hound
When Infoblox analyzed the queries in external global DNS data, the firm’s researchers found that the Decoy Dog C2 originated almost exclusively from hosts in Russia.
“One of the main dangers is nobody knows what it is,” Burton said. “That means something is compromised and someone controls it, and nobody knows what that is. That’s very unusual. We know what the signature is, but we do not know what it is controlling and nobody here does.”
Command and control, Burton explained, allows an antagonist to hijack systems. “I could command you to give me all of your email. If you are a firewall, I could command you to turn off, if you are a load balancer I could command you to create a DDoS,” she said.
Burton said Pupy has been connected to nation-state activities in the past, and that’s not because of the high bar to entry. “It’s a complex, multi-module trojan that provides no instruction to the user on how to establish the DNS nameserver in order to carry out C2 communications. As a result, it is not easily accessible to the common cybercriminal,” she said.
A Pupy that’s a RAT
Like legitimate uses of remote access technologies, such as services allowing technicians to remotely demonstrate new systems on a remote computer or expedite fixes directly, RATs are easy to install and don’t reveal themselves by changes in computation speed. They can be delivered by email, video games and other software, or even advertisements and web pages. Pupy is a RAT with specific C2 capabilities.
According to Burton:
- A RAT provides access to a system.
- Some RATs use C2 infrastructure, allowing remote control of the compromised machine.
- Pupy is a complex, cross-platform, open-source C2 tool mainly written in Python that is very hard to detect.
- Decoy Dog is an extraordinarily rare deployment of Pupy with a DNS signature revealing how it was configured and how it operates. According to Infoblox, only 18 domains of 370 million match that signature.
Some common RAT malware uses include an attacker gaining remote access to a laptop and renting that out to threat actors who deposit more malware through the computer’s access networks. “This is one way to make your laptop part of a botnet,” said Burton. “Those are pretty common situations.”
Small, anomalous toolkits have hidden risks
Although Decoy Dog is miniscule in deployment, there are inherent risks in concealed RATs, or malware that has mysterious provenance and remains invisible. Burton points to the 2018 Pegasus malware, a C2 spyware from Israel designed to enter and control Android, iOS, Symbian and BlackBerry mobile devices, giving a remote hacker access to a phone’s cameras, location, microphone and other sensors for purposes of surveillance.
Amnesty International got involved when the Saudi government allegedly used Pegasus to spy on the family of Jamal Khashoggi, who had been murdered by government operatives.
“Pegasus went undetected for two years,” said Burton. “We looked at that story and found that we had blocked 89% of those Pegasus domains way before the reporting from Amnesty, so our customers were protected and we were able to validate what Amnesty had said.”