Security News > 2023 > April > Decoy Dog malware toolkit found after analyzing 70 billion DNS queries
A new enterprise-targeting malware toolkit called 'Decoy Dog' has been discovered after inspecting anomalous DNS traffic that is distinctive from regular internet activity.
Decoy Dog helps threat actors evade standard detection methods through strategic domain aging and DNS query dribbling, aiming to establish a good reputation with security vendors before switching to facilitating cybercrime operations.
Researchers from Infoblox discovered the toolkit in early April 2023 as part of its analysis of over 70 billion DNS records daily to look for signs of abnormal or suspicious activity.
Further investigation revealed that the DNS tunnels on these domains had characteristics that pointed to Pupy RAT, a remote access trojan deployed by the Decoy Dog toolkit.
"This multiple-part signature gave us strong confidence that the domains were not only using Pupy, but they were all part of Decoy Dog - a large, single toolkit that deployed Pupy in a very specific manner on enterprise or large organizational, non-consumer, devices," Infoblox revealed in its report.
The analysts discovered a distinct DNS beaconing behavior on all Decoy Dog domains that are configured to follow a particular pattern of periodic but infrequent DNS request generation.