Infoblox published a threat report blog on a remote access trojan (RAT) toolkit with DNS command and control (C2). The toolkit created an anomalous DNS signature observed in enterprise networks in the U.S., Europe, South America, and Asia across technology, healthcare, energy, financial and other sectors. Some of these communications go to a controller in Russia.
Coined “Decoy Dog,” Infoblox’s Threat Intelligence Group was the first to discover this toolkit and is collaborating with other security vendors, as well as customers, to disrupt this activity, identify the attack vector, and secure global networks. The critical insight is that DNS anomalies measured over time not only surfaced the RAT, but ultimately tied together seemingly independent C2 communications. A technical analysis of Infoblox’s findings is here.
“Decoy Dog is a stark reminder of the importance of having a strong, protective DNS strategy,” said Renée Burton, Senior Director of Threat Intelligence for Infoblox. “Infoblox is focused on detecting threats in DNS, disrupting attacks before they start, and allowing customers to focus on their own business.”
As a specialised DNS-based security vendor, Infoblox tracks adversary infrastructure and can see suspicious activity early in the threat lifecycle, where there is “intent to compromise” and before the actual attack starts. As a normal course of business, any indicators that are deemed suspicious are included in Infoblox’s Suspicious domain feeds, direct to customers, to help them preemptively protect themselves against new and emerging threats.
Threat Discovery, Anatomy & Mitigation:
- Infoblox discovered activity from the remote access trojan (RAT) Pupy active in multiple enterprise networks in early April 2023. This C2 communication went undiscovered since April 2022.
- The RAT was detected from anomalous DNS activity on limited networks and in network devices such as firewalls; not user devices such as laptops or mobile devices.
- The RAT creates a footprint in DNS that is extremely hard to detect in isolation but, when analysed in a global cloud-based protective DNS system like Infoblox’s BloxOne Threat Defense, demonstrates strong outlier behavior. Further it allowed Infoblox to tie the disparate domains together.
- C2 communications are made over DNS and are based on an open-source RAT called Pupy. While this is an open-source project, it has been consistently associated with nation-state actors.
- Organisations with protective DNS can mitigate their risk. BloxOne Threat Defense customers are protected from these suspicious domains.
- In this case, Russian C2 domains were already included in the Suspicious domains feeds in BloxOne Threat Defense (Advanced) back in the fall of 2022. In addition to the Suspicious Domains feed, these domains have now been added to Infoblox’s anti-malware feed.
- Infoblox continues to urge organisations to block the following domains:
- claudfront[.]net
- allowlisted[.]net
- atlas-upd[.]com
- ads-tm-glb[.]click
- cbox4[.]ignorelist[.]com
- hsdps[.]cc
“While we automatically detect thousands of suspicious domains every day at the DNS level – and with this level of correlation, it’s rare to discover these activities all originating from the same toolkit leveraging DNS for command-and-control,” added Burton.
The Infoblox team is working around the clock to understand the DNS activity. Complex problems like this one highlight the need for an industry-wide intelligence-in-depth strategy where everyone contributes to understanding the entire scope of a threat.
For the full threat summary titled “Dog Hunt: Finding Decoy Dog Toolkit via Anomalous DNS Traffic” click here.
Discussion about this post