Infoblox, a cloud-enabled networking and security platform provider, recently released a threat report blog about a remote access trojan (RAT) toolkit that uses DNS command and control (C2). This toolkit, called “Decoy Dog,” created an anomalous DNS signature that was observed in enterprise networks across various sectors and regions, including the US, Europe, South America, and Asia. Some of the communications were found to be going to a controller in Russia.
Infoblox’s Threat Intelligence Group discovered this toolkit and is working with other security vendors and customers to disrupt the activity, identify the attack vector, and secure global networks. The company’s DNS-based security infrastructure allows them to track adversary infrastructure and detect suspicious activity early in the threat lifecycle. Infoblox also provides Suspicious domain feeds to its customers to help them protect themselves against emerging threats. The critical insight here is that DNS anomalies measured over time not only surfaced the RAT but also tied together seemingly independent C2 communications. According to RenĂ©e Burton, Senior Director of Threat Intelligence for Infoblox, “Decoy Dog is a stark reminder of the importance of having a strong, protective DNS strategy.”
Threat Discovery, Anatomy & Mitigation:
In early April 2023, Infoblox identified activity from the remote access trojan (RAT) Pupy that was active in multiple enterprise networks. This communication had gone unnoticed since April 2022. The RAT was detected from anomalous DNS activity on limited networks and network devices such as firewalls, but not on user devices such as laptops or mobile devices. The RAT creates a footprint in DNS that is very difficult to detect in isolation, but when analyzed in a global cloud-based protective DNS system like Infoblox’s BloxOne Threat Defense, it demonstrates strong outlier behavior. This allowed Infoblox to link the disparate domains together.
The C2 communications are made over DNS and are based on an open-source RAT called Pupy, which has been consistently associated with nation-state actors. Organizations with protective DNS can mitigate their risk, and BloxOne Threat Defense customers are protected from these suspicious domains. Infoblox continues to urge organizations to block several domains. Russian C2 domains were already included in the Suspicious domains feed in BloxOne Threat Defense (Advanced) back in the fall of 2022. In addition to the Suspicious Domains feed, these domains have now been added to Infoblox’s anti-malware feed.
The Infoblox team is working to understand the DNS activity and highlights the need for an industry-wide intelligence-in-depth strategy where everyone contributes to understanding the entire scope of a threat. According to Burton, while Infoblox automatically detects thousands of suspicious domains every day at the DNS level, discovering activities originating from the same toolkit leveraging DNS for command-and-control with this level of correlation is rare.
Go to Source
Author: