A strong possibility arises to spot emerging cybercriminal techniques by analyzing DNS inquiries.
Security experts Infobloxwas found a new bundle of business malware called “Decoy Dog” after conducting another examination of unusual DNS traffic that deviates from typical Internet activity.
Building a solid image among security vendors, Decoy Dog assists hackers in evading common detection techniques through smart “domain aging” and DNS query cloning. The program was found earlier this month by Infoblox experts as part of their daily review of more than 70 billion DNS records to check for indications of unusual behavior.
The Investigation
Decoy Dog’s unique DNS fingerprint allowed for its quick detection and investigation, leading to the discovery of C2 servers associated with its activity. Investigation revealed the use of Pupy RAT, a popular modular toolkit for remote access and control. The domains associated with Decoy Dog were found to deploy Pupy RAT in a specific way within enterprises, and Infoblox’s multi-part signature provided confidence in the findings. Finally, DNS beacons on honeypot domains showed distinct, periodic behavior in generating DNS queries.
Where Did The Malware Come From
Operation Decoy Dog began at the beginning of last April and went unreported for more than a year, according to an examination of the specifics. Despite the fact that this toolkit’s domains exhibit highly unusual insights.
In order to assist protectors, cyber security researchers, and targeted enterprises in defending against this sophisticated threat, Infoblox has included Decoy Dog domains in the report and included them to its “Suspicious Domains” list.
Evidence of breach has also been given by the business on its open GitHub repository that can be manually added to blacklists.
The capacity to identify Decoy Dog on the Internet shows how large-scale data analysis can be used to spot unusual activities, which will make potential hazards easier to spot.