Infoblox releases report findings on “Decoy Dog” and collaborates across the industry to help raise awareness and problem solve. Command-and-control (C2) domain over DNS went undiscovered for a year as part of a single toolkit.
Infoblox Inc. has published a threat report blog on a remote access trojan (RAT) toolkit with DNS command and control (C2). The toolkit created an anomalous DNS signature observed in enterprise networks in the U.S., Europe, South America, and Asia across technology, healthcare, energy, financial and other sectors. Some of these communications go to a controller in Russia.
Coined “Decoy Dog,” Infoblox’s Threat Intelligence Group was the first to discover this toolkit and is collaborating with other security vendors, as well as customers, to disrupt this activity, identify the attack vector, and secure global networks. The critical insight is that DNS anomalies measured over time not only surfaced the RAT, but ultimately tied together seemingly independent C2 communications.
“Decoy Dog is a stark reminder of the importance of having a strong, protective DNS strategy. Infoblox is focused on detecting threats in DNS, disrupting attacks before they start, and allowing customers to focus on their own business,” said Renée Burton, Senior Director of Threat Intelligence, Infoblox.
As a specialized DNS-based security vendor, Infoblox tracks adversary infrastructure and can see suspicious activity early in the threat lifecycle, where there is “intent to compromise” and before the actual attack starts. As a normal course of business, any indicators that are deemed suspicious are included in Infoblox’s Suspicious domain feeds, direct to customers, to help them preemptively protect themselves against new and emerging threats.
Infoblox discovered activity from the remote access trojan (RAT) Pupy active in multiple enterprise networks in early April 2023. This C2 communication went undiscovered since April 2022.
· The RAT was detected from anomalous DNS activity on limited networks and in network devices such as firewalls; not user devices such as laptops or mobile devices.
· The RAT creates a footprint in DNS that is extremely hard to detect in isolation but, when analyzed in a global cloud-based protective DNS system like Infoblox’s BloxOne® Threat Defense, demonstrates strong outlier behavior. Further it allowed Infoblox to tie the disparate domains together.
Infoblox continues to urge organizations to block the domains such as claudfront[.]net, allowlisted[.]net, atlas-upd[.]com, ads-tm-glb[.]click, cbox4[.]ignorelist[.]com and hsdps[.]cc.
“While we automatically detect thousands of suspicious domains every day at the DNS level – and with this level of correlation, it’s rare to discover these activities all originating from the same toolkit leveraging DNS for command-and-control,” added Burton.
The Infoblox team is working around the clock to understand the DNS activity. Complex problems like this one highlight the need for an industry-wide intelligence-in-depth strategy where everyone contributes to understanding the entire scope of a threat.
