Infoblox published a second threat report with critical updates on “Decoy Dog,” the remote access trojan (RAT) toolkit they discovered and disclosed in April 2023. The malware uses DNS to establish command and control (C2) and is suspected as a secret tool used in ongoing nation-state cyber attacks.
The threat actors swiftly responded following Infoblox’s disclosure of the toolkit, adapting their systems to ensure continued operations, indicating that maintaining access to victim devices remains a high priority. The analysis shows that the use of the malware has spread, with at least three actors now operating it. Although based on the open-source RAT Pupy, Decoy Dog is a fundamentally new, previously unknown, malware with many features to persist on a compromised device. Many aspects of Decoy Dog remain a mystery, but all signs point to nation-state hackers. Infoblox released a new data set containing DNS traffic captured from Infoblox’s servers to support further industry investigation of the C2 systems.
There is a significant risk that Decoy Dog and its use will continue to grow and impact organisations globally. Currently, the only known means to detect and defend against Decoy Dog/Pupy today is with DNS Detection and Response systems.
“It’s intuitive that DNS should be the first line of defense for organiastions to detect and mitigate threats like Decoy Dog. Infoblox is the industry’s best-of-breed DNS Detection and Response solution, providing companies with a turn-key defense that other XDR solutions would miss,” said Scott Harrell, Infoblox President and CEO. “As demonstrated with Decoy Dog, studying and deeply understanding the attacker’s tactics and techniques allows us to block threats before they are even known as malware.”
“The lack of insight into underlying victim systems and vulnerabilities being exploited makes Decoy Dog an ongoing and serious threat,” said Dr. Renée Burton, Head of Threat Intelligence at Infoblox. “The best defense against this malware is DNS. Malicious activity often goes unnoticed because DNS is undervalued as a critical component in the security ecosystem. Only enterprises with a strong protective DNS strategy can protect themselves from these types of hidden threats.”
This toolkit exploits an inherent weakness of the malware-centric intelligence ecosystem that dominates the security industry today. Furthermore, this malware was discovered solely because of DNS threat detection algorithms. Organisations’ best defence against these attacks is protection at the DNS level, within every network. Infoblox’s BloxOne Threat Defense customers remain protected from Decoy Dog and these known malicious threat actors.
