Threat Intel Alert: Infoblox Reveals Shift in Decoy Dog Malware Tactics After Initial Discovery

Aug 1, 2023•Knowledge

On July 25, 2023 Infoblox released critical updates and a second detailed report regarding the “Decoy Dog” malware. We have determined that no Infoblox customer devices have been compromised. However, the malware is very advanced, still not fully understood, and as such remains a threat to global enterprises until it is neutralized. You can access the full report here.

The alert provides details necessary to ensure your enterprise is protected:

To assist, we are releasing a large public data set and detailed findings, including a new YARA rule that can be applied to files to identify the malware and further support industry investigation of these C2 systems.
Infoblox has new detection algorithms in place to identify Decoy Dog domains, which are included in our BloxOne Threat Defense Essentials package.
Decoy Dog continues to operate and is now controlled by at least 3 actors. These actors responded to our initial disclosures by changing their operations in order to retain access to their victims.
Although based on the open-source RAT Pupy, Decoy Dog is a fundamentally new, previously unknown, malware with many features to persist on a compromised device. Many aspects of Decoy Dog remain a mystery, but all signs point to nation-state hackers.

For more information regarding Infoblox’s first published report on Decoy Dog in April, visit here.

To read more on Infoblox’s findings, you can view the company's issued press release here.

You can also learn more from two exclusive interviews given by CEO Scott Harrell and Head of Threat Intel, Renee Burton.

As a reminder, if you are a BloxOne Threat Defense (Advanced) Customer

If you have applied the suspicious feed and the anti-malware feed to your security policy in blocking mode, you are already protected. Decoy Dog domains which have not yet been validated appear in the suspicious domains feed.
If not, follow Infoblox recommendations to block on suspicious domains and anti-malware feeds. We continue to monitor for more indicators that will be added to the suspicious domains feed.
Ensure you are syncing NIOS IPAM metadata with DNS if you have configured Data Connector. This will enable operations teams to quickly identify those assets that may be attempting to interact with the adversary infrastructure.
https://insights.infoblox.com/resources-deployment-guides/infoblox-deployment-guide-data-connector#page=29
https://insights.infoblox.com/resources-deployment-guides/infoblox-deployment-guide-collecting-ipam-metadata-from-nios-source#page=1
Check the Security Activity report in the Cloud Services Portal (CSP) to access details of affected assets and events related to this threat.

If you are a BloxOne Threat Defense (Essentials or Business On-premises) Customer

Validated Decoy Dog domains are part of the anti-malware feed. If you have applied the anti-malware feed to your RPZ policy configuration, the on-premise DNS servers will have already pulled the active data set including those indicators known to be related to this threat. If not, follow Infoblox recommendations to block with the anti-malware feeds.
https://insights.infoblox.com/resources-deployment-guides/infoblox-deployment-guide-infoblox-dns-firewall-with-activetrust-threat-feed#page=8
Validate security events generated by the on-premise DNS appliances via the Infoblox Reporting server

If you are a BloxOne Threat Defense (Business Cloud) Customer

Validated Decoy Dog domains are part of the anti-malware feed. If you have applied the anti-malware feed as part of the BloxOne Threat Defense policy you are already protected. If not, follow Infoblox recommendations to block using the anti-malware feed.
https://docs.infoblox.com/space/BloxOneThreatDefense/35403288/Adding+Policy+Rules+and+Setting+Precedence
Check the Security Activity report in the Cloud Services Portal (CSP) to access details of affected assets and events related to this threat.

If you are not a BloxOne Threat Defense Customer

Decoy Dog domains that have been released publicly are in our GitHub report along with other released threat intelligence indicators. You may use this to protect against these domains. https://github.com/infobloxopen/threat-intelligence
If you have our RPZ/DNS Firewall capability, create policies to block resolution of the domains listed above. https://docs.infoblox.com/space/nios90/280760150/Testing+RPZ+Feed+Rules. If not, please follow these guidelines to manually add these malicious domains to your block list. NOTE: as new indicators are identified you will need to manually add these additional domains to mitigate the threat. https://docs.infoblox.com/space/nios90/280760177/Configuring+Local+RPZs.

If you find these in your traffic or would like more information, please contact your account manager or email info@infoblox.com

Additional Resources: