Not SimonASEC: Pupy is a RAT malware strain that offers cross-platform support. A malware strain named Decoy Dog was discovered, which is an updated version of Pupy RAT. Decoy Dog was used in attacks against corporate networks in Russia and Eastern Europe. ASEC briefly describes Pupy RAT attacks against Asian countries and South Korea, and lists IOC. 🔗 https://asec.ahnlab.com/en/64258/
Infoblox Threat IntelAlmost exactly one year ago, we announced the discovery of a new DNS C2 malware -- Decoy Dog. This remote access trojan had been lurking for already a year undetected by the industry and was essentially disguised as the open source tool, Pupy. Our second research released in July 2023 showed how different Decoy Dog was from Pupy and that it was being used by multiple distinct actors, almost certainly nation state actors... but we had no idea where it was actually operating. We now know that the Russian security company, and others, have found Decoy Dog in the wild since then. They attribute attacks on Russian governments and critical infrastructure to Ukraine. We are confident there are multiple actors using the toolkit (see our second paper linked below). But we now have a better insight on the types of devices that are being exploited. Also PT shows active use of the DGA in Decoy Dog that we had disclosed in our second paper. This is a serious RAT and hopefully the community will continue to report findings and share protection mechanisms. #dns #decoydog #malware #rat #cybercrime #cybersecurity #russia #ukraine #threatintel #hreatintelligence #infosec #pupy #infoblox #rat https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/hellhounds-operation-lahat/ https://blogs.infoblox.com/cyber-threat-intelligence/decoy-dog-is-no-ordinary-pupy-distinguishing-malware-via-dns/
Almost a year ago we discovered DNS malware Decoy Dog and went on a wild ride chasing that down. In August, we did a deep dive webinar on the malware and how we analyzed it. No pay/sign wall! #dns #malware #infoblox #threatintel #cybersecurity #infosec #apt #decoydog https://www.infoblox.com/resources/webinars/decoy-dog-is-no-ordinary-pupy-separating-a-sly-dns-malware-from-the-pack/
DNS C2 malware Decoy Dog is still operating and new samples have surfaced. 07dfb5b3e666400469fa451cdca5f29a346a5c9036e00c6587ef2b3b43631f10 connects to maxpatrol[.]net.
But the most interesting in the last few months is d189e0150f42d2a2e40fefcec6973fcbc4a8b1a1757a358d13df3519ef275412, which connects directly to 194.87.68[.]65:80.
#dns #malware #infoblox #decoydog #c2 #rat
But the most interesting in the last few months is d189e0150f42d2a2e40fefcec6973fcbc4a8b1a1757a358d13df3519ef275412, which connects directly to 194.87.68[.]65:80.
#dns #malware #infoblox #decoydog #c2 #rat
Renée BurtonSo.. twice this year a DNS threat actor changed behavior when we were investigating and they soared from suspicious to malicious. lol. clever. first #decoydog then #prolificpuma ... anyhow.. kinda funny.. we fully expected them to regroup... it's their job after all to do the crime thing.. but they just can't let go of music references.. new email address 6lackrules@proton[.]me. no more anon usTLD registrations it looks like.
Here's some domains. a slight change in hosting. i don't see the shorteners set up yet but for these'll be for sms bad activities again i'm sure.
zk0[.]us,zg5[.]us,yl4[.]us,yg2[.]us,y4f[.]us,xa4[.]us,x8i[.]us,wu7[.]us,wn3[.]us,w1m[.]us,v9e[.]us,v3y[.]us,uv5[.]us,uj2[.]us,ud4[.]us,u7n[.]us,u2f[.]us,tr0[.]us,tl1[.]us,t7x[.]us,s9k[.]us,qb9[.]us,q8r[.]us,q6d[.]us,q3u[.]us,q2u[.]us,pj8[.]us,p6s[.]us,p6h[.]us,o8r[.]us,o8l[.]us,o1i[.]us,lh8[.]us,ks0[.]us,kf8[.]us,k7x[.]us,k3o[.]us,jx4[.]us,jf4[.]us,hz0[.]us,h7s[.]us,h6l[.]us,g9s[.]us,g9j[.]us,fy3[.]us,f5y[.]us,f3z[.]us,er7[.]us,ecyz[.]us,e9c[.]us,d8c[.]us,c9i[.]us,c9a[.]us,bk7[.]us,a8m[.]us,a8j[.]us,a6r[.]us,9yl[.]us,9xl[.]us,9ou[.]us,9ma[.]us,9jy[.]us,9iq[.]us,8qe[.]us,8mv[.]us,8im[.]us,8fv[.]us,7ov[.]us,7nv[.]us,7cb[.]us,6np[.]us,6bu[.]us,5jc[.]us,5ja[.]us,3kc[.]us,2jk[.]us,2cl[.]us,0ho[.]us,piyt[.]us,zlyx[.]us,wyop[.]us,wk0[.]us,k0z[.]us,8ec[.]us,7ol[.]us,kaqu[.]us,jdhr[.]us,ivdo[.]us,w6r[.]us,t6s[.]us,sg4[.]us,j8q[.]us,f1d[.]us,aehv[.]us,utpy[.]us,jqcu[.]us,kxjm[.]us
#dns #malware #smishing #phishing #cybersecurity #infosec #infoblox
🛡 
🔍 Mysterious Decoy Dog malware toolkit, lurking in DNS shadows, used for sophisticated cyber intelligence operations with unclear origins. Infoblox researchers suspect four actors behind it, targeting Russian and Eastern Europe space. Decoy Dog upgrades from Pupy with Python 3.8, improved Windows compatibility, and advanced communication modules. Targeting appears highly selective, indicating an intelligence operation. Handlers and purpose still a mystery, further research needed.
TTPs (Tactics, Techniques, and Procedures):
1. Reliance on DNS for Command and Control (C2) Activity: Decoy Dog utilizes the domain name system (DNS) for communication with its command and control servers, making it difficult to detect and track.
2. Pupy Open-Source RAT Basis: Decoy Dog is heavily based on the Pupy open-source post-exploitation remote access trojan (RAT), with various improvements and upgrades.
3. Python 3.8 Dependency: Decoy Dog requires Python 3.8, distinguishing it from Pupy, which was written in Python 2.7.
4. Expanded Communication Vocabulary: Decoy Dog expands Pupy's communications modules, enabling more diverse communication methods.
5. Response to Replays of DNS Queries: Unlike Pupy, Decoy Dog responds to replays of previous DNS queries.
6. Response to Wildcard DNS Requests: Decoy Dog responds to wildcard DNS requests, increasing the number of resolutions seen in passive DNS.
7. Response to Invalid DNS Request Structure: Decoy Dog responds to DNS requests that don't match the structure of valid communication, possibly as a decoy or defense mechanism.
8. Injection of Arbitrary Java Code: Decoy Dog adds the ability to run arbitrary Java code by injecting it into a JVM thread, enhancing its capabilities for persistence on compromised devices.
9. Geofencing Mechanism: One version of Decoy Dog uses a geofencing mechanism that limits responses from controller domains to DNS queries from specific regions, possibly indicating targeted regions.
10. Domain Generation Algorithm (DGA): Newer versions of Decoy Dog feature a DGA acting as an emergency module to allow compromised machines to use a third-party DNS server if the C2 server is inaccessible for an extended period.
IOCs (Indicators of Compromise):
Domains Associated with Decoy Dog Command and Control (C2) Activity:
1. cbox4.ignorelist.com
2. claudfront.net
3. hsdps.cc
4. ads-tm-glb.click
5. atlas-upd.com
6. allowlisted.net
7. maxpatrol.net (associated with an advanced version of Decoy Dog)
A few months ago I posted about a DNS malware C2 we had discovered— Decoy Dog — that was based on Pupy, had been undetected for over a year, and had some inexplicable behavior. We hoped the community would easily find the infected devices based on the info we provided. No suck luck. Since then we have used DNS to learn and an astonishing amount about the operations. Once we realized Decoy Dog was more advanced than Pupy, and we saw how the actors responded to our original relesases, we went back to the binaries. Today we released an indepth technical analysis of Decoy Dog, a Pupy research data set, and a new Yara rule. This is the exec summary. Link to the full technical paper and other tidbits in the comments. #dns #theatintel #malware #decoydog #rat #c2 #infoblox #datascience #threatresearch https://blogs.infoblox.com/cyber-threat-intelligence/decoy-dog-is-no-ordinary-pupy-distinguishing-malware-via-dns/
We are trying to finish a major update paper on Decoy Dog and it seems like every day we find a new fascinating difference from the original Pupy RAT C2. It amazes me that no one has found.. or admitted to finding...these exploited devices.. Decoy Dog is a major upgrade to Pupy and not only continues to operate but spread... We are just going to call this a stopping point and finish with a 50 page deep dive into the C2 and its decoy... Need a few more weeks to edit. #threatintel #infosec #rat #malware #c2 #pupy #decoydog #dns
WinFuture.deDie #Malware #DecoyDog nimmt Unternehmen ins Visier und bleibt oft unerkannt. https://winfuture.de/news,135820.html?utm_source=Mastodon&utm_medium=ManualStatus&utm_campaign=SocialMedia
Decoy Dog: Malware-Toolkit bleibt in den meisten Fällen unerkannt
Mit dem Malware-Toolkit Decoy Dog haben es Hacker auf Unternehmen abgesehen. Obwohl etablierte Erkennungsmethoden umgangen werden, lassen sich die Aktivitäten durch die Analyse des DNS-Traffics erkennen. Firmen sollten die von Decoy Dog verwendeten Domains blockieren.
A week ago I posted about C2 domains we found via DNS emanating from enterprise network appliances... still many mysteries..but here is our findings. https://blogs.infoblox.com/cyber-threat-intelligence/cyber-threat-advisory/dog-hunt-finding-decoy-dog-toolkit-via-anomalous-dns-traffic/ #dns #Infobox #infosec #threatintel #malware #rat #decoydog
