Analysis
Cybersecurity organisation Infoblox has identified a brand-new, sophisticated malware toolkit named Decoy Dog after inspecting over 70 billion DNS data. To avoid being discovered, Decoy Dog uses evasive strategies including DNS query dribbling and smart domain ageing. The toolkit is well-organized and has distinctive features that make it simple to recognise, especially when looking at its domains at the DNS level. Less than 0.0000027% of active domains on the internet have a DNS signature match, making Decoy Dog's use in the wild very unusual. The main element of the virus is Pupy RAT, which is distributed through DNS tunnelling.
Prevention
- Always update software
- Create secure, one-of-a-kind passwords
- Watch out for dubious emails and connections.
- Use a firewall
- Employ a DNS security
- Consistently back up your data
Detection
- Regularly check your network traffic for any odd or suspicious activities, such as a high volume of DNS requests or traffic to unidentified sites.
- Use an intrusion detection system (IDS) to identify suspicious network activity and get alerts about it.
- Use a DNS monitoring tool to keep an eye on your DNS traffic for any odd patterns or requests that could point to an attack.
- Keep an eye out for unusual behaviour by keeping an eye on the system logs for any activity that could point to a malware infestation.
Indicators of Compromise (IOCs)
- Unusual network activity, including a lot of traffic going to dubious sites or traffic using unusual protocols.
- Modifications to system behaviour, such as an elevated level in resource utilisation, unauthorised access attempts, or configuration changes.
- Suspicious files: These include the occurrence of unfamiliar or unauthorised files as well as modifications to file properties or hashes.
- Suspicious user behaviour, such as logins from unusual locations or accounts with unauthorised rights.
- Security notifications: These include IDS or antivirus alerts that reveal attempts to take advantage of known security flaws or malware signatures.
- Unauthorised or suspect login attempts, such as those made from odd places or at odd hours.
References
The hacker news