Home Latest Cyber Security News | Network Security Hacking Decoy Dog Malware Tool Kit Spotted Via Malicious DNS Queries

Decoy Dog Malware Tool Kit Spotted Via Malicious DNS Queries

by Abeerah Hashim
New “sedexp” Linux Malware Remained Undetected For Two Years

A new malware tool kit, “Decoy Dog,” has been actively targeting enterprise networks for a year. The researchers identified Decoy Dog after analyzing billions of DNS queries.

Decoy Dog Malware Actively Targeting Enterprises

Sharing the details in a recent blog post, the cybersecurity firm Infoblox has unveiled a new malware tool kit, “Decoy Dog,” running active campaigns in the wild.

As elaborated, the researchers became curious about the matter upon detecting billions of malicious DNS queries. They scanned at least 70 billion DNS queries to find a similar DNS pattern from 0.0000027% of all active domains globally. What alarmed them about the DNS queries was their peculiarity – they returned unresolvable IP addresses, something quintessential of US Dept. of Defense or malicious phishing campaigns.

Analyzing the matter further made the researchers detect these queries generated from enterprise networks. Then, the C2 communications linked back to Russian hosts.

Eventually, the researchers could find PupyRAT related to this activity. The Decoy Dog malware tool kit supposedly deployed PupyRAT on target enterprise networks.

While most domains associated with this campaign linked to the tool kit, some domains did not, hinting that they may be left for domain aging.

The researcher first detected Decoy Dog in the wild in April 2023. However, analyzing the domains made them deduce that the tool kit became active in April 2022.

It remains unclear if all Decoy Dog activity originates from the same threat actor. Alternatively, the creators might have set up Decoy Dog for commercial use, letting numerous threat actors use the tool kit for different malware.

Besides, the researchers found Decoy Dog typically focused on enterprise networks only, sparing consumer devices. Nonetheless, their target enterprise networks may include small and large businesses alike.

To mitigate such attacks, Infoblox advises enterprises to deploy blocklists on their networks to prevent malicious DNS queries. They have also shared the IOCs for the tool kit, which organizations may use to configure the filters.

Let us know your thoughts in the comments.

You may also like