A remote access Trojan (RAT) called Decoy Dog, based on the open-source Pupy malware, has recently gained persistence, leading researchers to suspect the involvement of a nation-state actor. Discovered a few months ago by the threat intelligence team at Infoblox, Decoy Dog has now been found to be used by at least three different cybercrime groups.
According to Renée Burton, head of threat intelligence at Infoblox, the team estimates that only a “few hundred” devices are currently compromised by this RAT. While the researchers are unaware of the specific organizations being targeted, they believe that nation-state actors are likely focusing on political targets and important enterprises such as technology and critical infrastructure.
Once inside a victim’s system, the threat actor behind Decoy Dog can execute arbitrary code. Although the exact intentions of the actor are unclear, Burton states that they have created special mechanisms to enable a wide range of actions.
Decoy Dog, despite being based on the open-source RAT Pupy, is a completely new and previously unknown malware. Infoblox describes it as having many features to persist on a compromised device. The malware strain utilizes the domain name system (DNS) to establish command and control over the victim’s systems.
Due to the lack of deep insight into the underlying victim systems and the vulnerabilities being exploited, Decoy Dog poses an ongoing and serious threat. Infoblox emphasizes the critical nature of this malware.
In an update released this week, Infoblox stated that “all signs point to nation-state hackers.” The research team believes that Decoy Dog is likely the work of a nation-state actor due to its sophistication and the target organizations being of interest to such actors.
Given the relatively low number of compromised devices at this point, it is crucial for organizations to be aware of the potential threats posed by this RAT and take appropriate measures to protect themselves. Infoblox urges companies to block malicious domains associated with Decoy Dog to minimize the risk of compromise.
Infoblox’s threat intelligence team continues to monitor this evolving threat. They aim to gain more insights into Decoy Dog’s functionality and the specific organizations being targeted. The collaboration between the cybersecurity community and organizations like Infoblox is essential to combatting threats such as Decoy Dog and ensuring the security of critical systems.