Decoy Dog Malware Tool Kit Spotted Via Malicious DNS Queries

A new malware tool kit, “Decoy Dog,” has been actively targeting enterprise networks for a year. The researchers identified Decoy Dog after analyzing billions of DNS queries.

Decoy Dog Malware Actively Targeting Enterprises

Sharing the details in a recent blog post, the cybersecurity firm Infoblox has unveiled a new malware tool kit, “Decoy Dog,” running active campaigns in the wild.

As elaborated, the researchers became curious about the matter upon detecting billions of malicious DNS queries. They scanned at least 70 billion DNS queries to find a similar DNS pattern from 0.0000027% of all active domains globally. What alarmed them about the DNS queries was their peculiarity – they returned unresolvable IP addresses, something quintessential of US Dept. of Defense or malicious phishing campaigns.

Analyzing the matter further made the researchers detect these queries generated from enterprise networks. Then, the C2 communications linked back to Russian hosts.

Eventually, the researchers could find PupyRAT related to this activity. The Decoy Dog malware tool kit supposedly deployed PupyRAT on target enterprise networks.

While most domains associated with this campaign linked to the tool kit, some domains did not, hinting that they may be left for domain aging.

The researcher first detected Decoy Dog in the wild in April 2023. However, analyzing the domains made them deduce that the tool kit became active in April 2022.

It remains unclear if all Decoy Dog activity originates from the same threat actor. Alternatively, the creators might have set up Decoy Dog for commercial use, letting numerous threat actors use the tool kit for different malware.

Besides, the researchers found Decoy Dog typically focused on enterprise networks only, sparing consumer devices. Nonetheless, their target enterprise networks may include small and large businesses alike.

To mitigate such attacks, Infoblox advises enterprises to deploy blocklists on their networks to prevent malicious DNS queries. They have also shared the IOCs for the tool kit, which organizations may use to configure the filters.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients