Decoy dog toolkit plays the long game with Pupy RAT
Christopher Boyd
Christopher Boyd
Researchers at Infoblox have discovered a new toolkit being used in the wild called Decoy Dog. It targets enterprises, and has a fondness for deploying a remote access trojan called Pupy RAT.
Activity from the RAT was first noticed earlier this month. Subsequent research revealed that it has been in operation since at least April last year. An initial two domains were being used as Command & Control centers (C2), with almost all of the C2 communications originating from Russia.
From there, further research identified a DNS signature not related to Pupy components. This signature was so unique that its presence indicated not just the open source Pupy RAT, but the Decoy Dog toolkit being used for deployment. Infoblox claims that this unique DNS signature for Decoy Dog âmatches less than 0.0000027% of the 370 million active domains on the internetâ.
Pupy itself has been seen in numerous nation state attacks and other serious compromises. Back in 2020, it was at the heart of a European electricity association breach. Elsewhere, it was seen as part of a campaign called Magic Hound in 2017, which targeted Government and technology sectors in Saudi Arabia.
Pupy RAT is very good at hiding in networks for long periods of time and can infect several platforms including Windows, Linux, and mobile. It communicates with its C2 via DNS. This makes it harder to spot than more common forms of malicious activity due to its tiny footprint. Its open source nature means all manner of changesâsuch as detecting sandboxes, installing keyloggers, or dumping hashes from a target systemâcan be made to keep security teams on their toes.
Itâs not easy to set up or make use of, as a result of the skill required to use the tool alongside effective DNS server configurations. This is not your average DIY bedroom coded malware operation, and anyone using this knows what theyâre doing.
There is currently no evidence to suggest any consumer targets have been hit by the Decoy Dog/Pupy RAT combination. So far, everything Infoblox and other security vendors itâs consulted with has all been enterprise based. This makes sense; it would be rather peculiar to see something of this nature striking out at people in their homes. If youâre not an enterprise or running âlarge organisational, non-consumer devicesâ then this isnât something youâre likely to run into.
Additionally, thereâs no data shared on which sector is targeted by the above, so itâs currently impossible to say if itâs one specific realm of business at risk here or if the group behind these installations is picking targets at random. One would suspect the former. While the energy sector shows up in many historical Pupy attacks, that doesnât mean this is the case here. Investigations into Decoy Dog and Pupy RAT are ongoing, so for now we have to hope that this particular spate of network compromise is still something of a rarity.
Users of Malwarebytes are protected against this threat.