Infoblox Inc. recently published a second threat report to provide updates on the remote access toolkit, or RAT, called “Decoy Dog,” which the company discovered in April. To establish command and control, Decoy Dog uses the Domain Name System. The company also suspects it’s a secret tool nation-states use in cyberattacks.
Once Infoblox disclosed it knew of the RAT — specifically, a variation of a RAT known as Pupy — the threat actors adapted to ensure its continuous operation. The company says it has continued to research Decoy Dog and Pupy since the publication of its findings on April 23. It writes in its threat report that Decoy Dog represents a significant upgrade to Pupy. It uses commands and configurations that are not in the public repositories.
Infoblox reports that it developed algorithms to separate Decoy Dog client communications and infer several other properties about each controller. The new algorithms underscore something we have thought about for some time: If your DNS is insecure, your entire enterprise might as well leave its front door unlocked. Infoblox has a commercially available DNS detection and response or DNSDR system.
DNSDR is well-equipped to deal with the typical attack sequence. For example, an attacker might create a malicious payload in what’s called the weaponization stage. It then delivers the payload to a target, often through a spear-phishing email.
Then, when a user clicks on the link, the device requests a connection to the internet location, and the lookup happens via a DNS server. Network security devices such as next-generation firewalls and web gateways start processing the traffic — and the connection is subsequently established. Once the connection is established, the payload is downloaded and executed on the target device.
The first step in this process happens through DNS. With DNSDR in place, an enterprise can weed out the threats before they affect vital infrastructure. Such was the case with Decoy Dog and Pupy.
Infoblox says it has learned the key features of the malware and the operators. It believes there is a risk that the use of Decoy Dog will grow and affect a wide array of organizations around the globe.
“It’s intuitive that DNS should be the first line of defense for organizations to detect and mitigate threats like Decoy Dog,” said Infoblox Chief Executive Scott Harrell. “As demonstrated with Decoy Dog, studying and deeply understanding the attacker’s tactics and techniques allows us to block threats before they are even known as malware.”
Defending against such threats requires a different approach. Focusing on typical malware targets leaves organizations behind the eight ball. Guarding against the RATs and dogs requires a DNS-centric approach — especially considering the statistic that Infoblox quoted in its press release: More than 90% of malware attacks leverage DNS to establish command and control on a targeted network, according to Anne Neuberger, Director of Cybersecurity at National Security Agency. Organizations that leave their DNS unwatched risk having the threats dwelling in their infrastructure and inflicting severe damage.
Infoblox says it’s monitoring 21 Decoy Dog domains, some registered within the last month. The key here is for organizations to monitor industry research and use their DNS as an early warning system. Infoblox is on the vanguard.
Dr. Renée Burton, head of threat intelligence at Infoblox, will speak at Black Hat in Las Vegas on Aug. 9. This year’s talk from Renée should be a fascinating discussion of RATs and dogs. And I’m pretty sure that between now and then, there will be even more developments. Infoblox will provide a unique hands-on experience for attendees to work with a Decoy Dog data set at the Black Hat show.