Infoblox, a cybersecurity company, recently discovered and disclosed a serious security threat known as "Decoy Dog." This malware toolkit has been propagated to a Russian IP address and is selectively targeting organizations worldwide, while going undetected. Infoblox's Threat Intelligence Group found the activity at the DNS level, which is very difficult to detect, and consistent with a nation-state advanced persistent threat (APT) actor.
The company's BloxOne® Threat Defense customers are protected from these suspicious domains. Infoblox's Head of Threat Intelligence Group, Renée Burton, shared the news on Mastodon last week and will speak more about this threat at the RSA Conference, starting on April 25. On April 20, the company will publish additional details about the Decoy Dog Toolkit and the importance of a protective DNS strategy.
Infoblox is collaborating with other security vendors and customers to identify and disrupt this activity and secure global networks. The company believes in an intelligence-in-depth approach to security and discovered the RAT, which was active in multiple enterprise networks since April 2022. The RAT was previously unknown, and Infoblox confirmed with high confidence that all deployments of this activity arise from a single toolkit. The RAT uses DNS as a C2 channel, giving the malicious actor control of internal devices.
Infoblox has observed active C2 communications in the US, Europe, South America, and Asia in the technology, healthcare, energy, financial, and other sectors. The company is urging organizations to block domains associated with Decoy Dog, such as claudfront[.]net, allowlisted[.]net, atlas-upd[.]com, ads-tm-glb[.]click, cbox4[.]ignorelist[.]com, and hsdps[.]cc.
The Infoblox Threat Intelligence Group is working to understand the motivations, identity of the actor, and nature of the compromise. The group identifies suspicious domains through several custom-built algorithms and DNS-based threat hunting. Infoblox is dedicated to creating high-fidelity "block-and-forget" domain name service (DNS) intelligence data for use in BloxOne Threat Defense. The organization focuses on DNS and infrastructure actors and can identify suspicious behavior before its impact is known by other areas of the industry.