Illustrated rat wearing sunglasses in front of a blue background
Image: andrenascimento/Adobe Stock

If you do a search for the most recent reports on Domain Name System attacks, you may have a hard time finding one since IDC’s 2021 report noting that in 2020, 87% of organizations experienced a DNS attack during 2020.

The fact that DNS isn’t front-of-mind nomenclature for many attacks that actually put DNS in the attack chain may have to do with the security alphabet soup of DNS over TLS or HTTP. As a CloudFlare report explains, TLS and HTTP encrypt plaintext DNS queries, keeping browsing secure and private.

SEE: Google’s 2FA may lack encryption, meaning unlocked doors to mobile devices

Still, Akamai’s Q3 DNS threat report noted a 40% increase in DNS attacks in that quarter last year, and 14% of all protected devices communicated with a malicious designation at least once in the third quarter last year.

Jump to:

New stealth toolkit for experts only

Infoblox Threat Intelligence Group, which says it analyzes billions of DNS records and millions of domain-related records each day, has reported a new malware toolkit called Decoy Dog that uses a remote access trojan called Pupy.

Renée Burton, senior director threat intelligence at Infoblox, said Pupy is an open-source product that is very difficult to use and not well documented. Infoblox found that the Decoy Dog toolkit that uses Pupy in fewer than 3% of all networks, and that the threat actor who has control of Decoy Dog is connected to just 18 domains.

“We discovered it through our series of anomaly detectors and learned that Decoy Dog activities have been operating a data exfiltration command and control, or C2, system for over a year, starting early April 2022,” Burton said. “Nobody else knew.”

Russian hound

When Infoblox analyzed the queries in external global DNS data, the firm’s researchers found that the Decoy Dog C2 originated almost exclusively from hosts in Russia.

“One of the main dangers is nobody knows what it is,” Burton said. “That means something is compromised and someone controls it, and nobody knows what that is. That’s very unusual. We know what the signature is, but we do not know what it is controlling and nobody here does.”

Command and control, Burton explained, allows an antagonist to hijack systems. “I could command you to give me all of your email. If you are a firewall, I could command you to turn off, if you are a load balancer I could command you to create a DDoS,” she said.

Burton said Pupy has been connected to nation-state activities in the past, and that’s not because of the high bar to entry. “It’s a complex, multi-module trojan that provides no instruction to the user on how to establish the DNS nameserver in order to carry out C2 communications. As a result, it is not easily accessible to the common cybercriminal,” she said.

A Pupy that’s a RAT

Like legitimate uses of remote access technologies, such as services allowing technicians to remotely demonstrate new systems on a remote computer or expedite fixes directly, RATs are easy to install and don’t reveal themselves by changes in computation speed. They can be delivered by email, video games and other software, or even advertisements and web pages. Pupy is a RAT with specific C2 capabilities.

According to Burton:

  • A RAT provides access to a system.
  • Some RATs use C2 infrastructure, allowing remote control of the compromised machine.
  • Pupy is a complex, cross-platform, open-source C2 tool mainly written in Python that is very hard to detect.
  • Decoy Dog is an extraordinarily rare deployment of Pupy with a DNS signature revealing how it was configured and how it operates. According to Infoblox, only 18 domains of 370 million match that signature.

Some common RAT malware uses include an attacker gaining remote access to a laptop and renting that out to threat actors who deposit more malware through the computer’s access networks. “This is one way to make your laptop part of a botnet,” said Burton. “Those are pretty common situations.”

Small, anomalous toolkits have hidden risks

Although Decoy Dog is miniscule in deployment, there are inherent risks in concealed RATs, or malware that has mysterious provenance and remains invisible. Burton points to the 2018 Pegasus malware, a C2 spyware developed by Israeli cyber-arms firm NSO Group.  Pegasus is designed to enter and control Android, iOS, Symbian and BlackBerry mobile devices, giving a remote hacker access to a phone’s cameras, location, microphone and other sensors for purposes of surveillance.

Amnesty International got involved when the Saudi government allegedly used Pegasus to spy on the family of Jamal Khashoggi, who had been murdered by government operatives.

Amnesty International’s Security Lab recently exposed another commercial spyware that went undetected for two years and leveraged zero-day attacks against Google’s Android operating systems. “We looked at that and discovered that we had blocked 89% of those domains long before the reporting from Amnesty, so our customers were protected and we were able to validate what Amnesty had said,” said Burton.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday