Decoy Dog Gets an Upgrade With New Persistence Features

Discovered just a few months ago, Decoy Dog, a remote access Trojan based on open source Pupy malware, now boasts built-up persistence, leading some researchers to believe there's a nation-state actor behind it.

The threat intelligence team at Infoblox continued to track Decoy Dog and report that at least three different cybercrime groups are using this new and improved version. Renée Burton, head of threat intelligence at Infoblox, tells Dark Reading that the team estimates there are less than a "few hundred" devices currently compromised by the RAT.

The researchers don't know which organizations are being targeted specifically, but Burton says they are most likely organizations considered to be of value to nation-state actors.

"Typically, this would be political targets or important enterprises, such as technology and critical infrastructure," Burton adds.

Once inside, the threat actor behind Decoy Dog can execute arbitrary code. What they are trying to do beyond that exactly isn't clear, "but we do know that the actor created special mechanisms for them to do anything they want," Burton adds.

"Although based on the open-source RAT Pupy, Decoy Dog is a fundamentally new, previously unknown malware with many features to persist on a compromised device," Infoblox said in an update this week. "Many aspects of Decoy Dog remain a mystery, but all signs point to nation-state hackers."

The malware strain leverages the domain name system (DNS) to establish command and control over the victim's systems, according to Infoblox.

"The lack of insight into underlying victim systems and vulnerabilities being exploited makes Decoy Dog an ongoing and serious threat," said Burton.

Updated 5 p.m. on July 25 with interview responses from Infoblox's Renée Burton.