A sophisticated malicious toolkit called DecoyDog (bait dog) has been engaged in cyber espionage through the domain name system (DNS) for more than a year, according to research by security vendor Infoblox.
It is not clear who is behind the malware, but Infoblox researchers believe that four actors are exploiting and developing it for highly targeted operations. Since the observed range was limited to Russia and Eastern Europe, it appears that this activity is related to the Russo-Ukrainian War.
DecoyDog is still active
While Infoblox only analyzed DecoyDog's DNS and network traffic, since it's based on Pupy, it's likely that it was downloading malware payloads on infected devices and executing commands sent by the attackers.
In early April, Infoblox experts discovered DecoyDog in six domains with unusual DNS beaconing activity, which acted as command and control (C2) servers for the malware:
- cbox4[.]ignorelist[.]com
- claudfront[.]net
- hsdps[.]cc
- ads-tm-glb[.]click
- atlas-upd[.]com
- allowlisted[.]net
At the time, the researchers said they saw the same pattern of DNS queries occurring in enterprise networks that could not be linked to consumer devices, and confirmed that the queries originated from a very limited number of devices on customer networks.
After Infoblox announced the discovery and release of a technical analysis report, DecoyDog did not stop its activities. The analysis report showed that DecoyDog is largely based on the Pupy open source vulnerability Post Remote Access Trojan (RAT). The latest reports suggest that DecoyDog is a major upgrade of Pupy, using commands and configurations not available in the public repositories. Specifically observed differences include:
- Uses Python 3.8, while Pupy is written in Python 2.7;
- Many improvements, including Windows compatibility and better memory handling;
- Significantly expanded the communication vocabulary in Pupy by adding several communication modules;
- responds to replays of previous DNS queries, while Pupy does not;
- Can respond to wildcard DNS requests, doubling the number of resolutions in passive DNS;
- Can respond to DNS requests that do not match the effective communication structure of the client;
- Can inject arbitrary Java code into JVM threads to increase the ability to run arbitrary Java code and add methods to maintain persistence on the victim device.
Renée Burton, Director of Threat Intelligence at Infoblox, revealed that the number of DecoyDog nameservers, controllers and domains currently exceeds 20.
DecoyDog controller list
Targeted Malware
It is difficult to determine the exact number of DecoyDog clients based on passive DNS traffic analysis, which would indicate the number of affected devices, but Infoblox has observed a maximum of less than 50 active concurrent connections on any one controller, with a minimum of 4 . Burton estimates the number of compromised devices to be just a few hundred, indicating that the targets are very small and typical of intelligence operations.
After Infoblox disclosed DecoyDog, the malware began adding geofencing mechanisms that restrict controller domains from responding to DNS queries from IP addresses in specific regions.
Infoblox found that some of these servers would only respond to DNS queries from Russian IP addresses, while others would respond to any well-formed query from any location. This could mean that the victim is located in Russia, but the attackers could also choose to route the victim's traffic to that region as a decoy or to limit queries to relevant ones. Burton favors the former, arguing that DecoyDog behaves like Pupy and connects to DNS using the default recursive resolver. Since changing this system in a modern network is quite challenging, it is likely that these victims were in Russia or a neighboring country (and possibly routed data through Russia).
TTP points to multiple participants
Infoblox differentiated the 4 actors operating DecoyDog based on observed tactics, techniques, and procedures (TTPs). However, they all seem to respond to queries that match the correct format for DecoyDog or Pupy.
Burton pointed out that this strange behavior may be intentional, but even with a wealth of experience as a cryptographer, intelligence officer and data scientist, she cannot attribute a specific reason. If the theory of multiple DecoyDog actors is true, it's likely that two actors improved it with new features.
According to Burton, one of the 4 participants has the most advanced version of DecoyDog in the public repository, and its client connects to the controller claudfront[.]net. Another controller in this actor was maxpatrol[.]net, but no connection behavior was observed, which may be similar to Positive Technologies' vulnerability and compliance management system. Positive Technologies, a Russian cybersecurity firm, was sanctioned by the United States in 2021 for trafficking hacking tools and exploits used by state-backed hacking groups.
Infoblox notes that the new version of DecoyDog comes with a Domain Generation Algorithm (DGA) that acts as an emergency module, allowing infected computers to use third-party DNS servers if the malware is unable to communicate with its C2 server for an extended period of time. Starting with the third version, DecoyDog provides extensive persistence mechanisms, indicating that its purpose is mainly to steal intelligence, rather than financial motivation or red team tool.
DecoyDog still has many doubts
Currently, DecoyDog remains mysterious and additional research is required to determine the target, initial intrusion method (e.g. supply chain, known exploits, zero-day exploits in targeted devices), and how it entered the network.
While Infoblox has the support of the information security community (from major Intel vendors, government agencies, threat research groups, and financial organizations), detections of the malware, or its full extent, have not been publicly disclosed.
Infoblox advises defenders to be aware that IP addresses in Decoy Dog and Pupy represent encrypted data, not real addresses used for communication, and to pay attention to DNS queries and responses, as they can help track malware activity.
The company also created a YARA rule that detects samples of DecoyDog observed by researchers since July and differentiates it from public versions of Pupy.