While analyzing billions of DNS records, Infoblox researchers discovered a sophisticated malware toolkit, dubbed Decoy Dog, that was employed in attacks aimed at enterprise networks.
Threat actors behind the malware were observed using known tricks to avoid detection such as registering a domain, but not using it for some time (domain aging technique) and DNS query dribbling.
The Decoy Dog is a cohesive toolkit that implements a number of highly unusual characteristics, which make it easy to identify when examining its domains on a DNS level.
Some of these characteristics are:
Infoblox recommends organizations to add the indicators of compromise (IOCs) included in its report to their blocklists manually or via our GitHub repository infobloxopen:threat-intelligence.
“We believe that global security industry collaboration is necessary to understand the full end-to-end story of Decoy Dog and the C2 activity.” concludes the report. “Organizations with protective DNS are able to block these domains immediately, mitigating their risk while they continue to investigate further.”
Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:
Please nominate Security Affairs as your favorite blog.
Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, malware)