Infoblox Uncovers DNS Malware Toolkit & Urges Companies to Block Malicious Domains

Wyng Boosts Security Posture with Successful Completion of SOC 2 Type 2 Examination

Infoblox

  • Infoblox releases report findings on “Decoy Dog” and collaborates across the industry to help raise awareness and problem solve

  • Command-and-control (C2) domain over DNS went undiscovered for a year as part of a single toolkit

  • Threat spotlights dangers of malware traffic on networks and importance of a DNS security strategy

  • Infoblox BloxOne® Threat Defense protects customers from these suspicious C2 domains

Infoblox Inc. the company that delivers a simplified, cloud- enabled networking and security platform for improved performance and protection, published a threat report blog on a remote access trojan (RAT) toolkit with DNS command and control (C2). The toolkit created an anomalous DNS signature observed in enterprise networks in the U.S., Europe, South America, and Asia across technology, healthcare, energy, financial and other sectors. Some of these communications go to a controller in Russia.

Coined “Decoy Dog,” Infoblox’s Threat Intelligence Group was the first to discover this toolkit and is collaborating with other security vendors, as well as customers, to disrupt this activity, identify the attack vector, and secure global networks. The critical insight is that DNS anomalies measured over time not only surfaced the RAT, but ultimately tied together seemingly independent C2 communications. A technical analysis of Infoblox’s findings is here.

“Decoy Dog is a stark reminder of the importance of having a strong, protective DNS strategy,” said Renée Burton, Senior Director of Threat Intelligence for Infoblox. “Infoblox is focused on detecting threats in DNS, disrupting attacks before they start, and allowing customers to focus on their own business.”

As a specialized DNS-based security vendor, Infoblox tracks adversary infrastructure and can see suspicious activity early in the threat lifecycle, where there is “intent to compromise” and before the actual attack starts. As a normal course of business, any indicators that are deemed suspicious are included in Infoblox’s Suspicious domain feeds, direct to customers, to help them preemptively protect themselves against new and emerging threats.

Marketing Technology News: YuppTV launches Videograph at NAB Show 2023

Threat Discovery, Anatomy & Mitigation:

  • Infoblox discovered activity from the remote access trojan (RAT) Pupy active in multiple enterprise networks in early April 2023. This C2 communication went undiscovered since April 2022.

  • The RAT was detected from anomalous DNS activity on limited networks and in network devices such as firewalls; not user devices such as laptops or mobile devices.

  • The RAT creates a footprint in DNS that is extremely hard to detect in isolation but, when analyzed in a global cloud-based protective DNS system like Infoblox’s BloxOne® Threat Defense, demonstrates strong outlier behavior. Further it allowed Infoblox to tie the disparate domains together.

  • C2 communications are made over DNS and are based on an open-source RAT called Pupy. While this is an open-source project, it has been consistently associated with nation-state actors.

  • Organizations with protective DNS can mitigate their risk. BloxOne Threat Defense customers are protected from these suspicious domains.

  • In this case, Russian C2 domains were already included in the Suspicious domains feeds in BloxOne Threat Defense (Advanced) back in the fall of 2022. In addition to the Suspicious Domains feed, these domains have now been added to Infoblox’s anti-malware feed.

  • Infoblox continues to urge organizations to block the following domains:
    • claudfront.net
    • allowlisted.net
    • atlas-upd.com
    • ads-tm-glb.click
    • cbox4.ignorelist.com
    • hsdps.cc

“While we automatically detect thousands of suspicious domains every day at the DNS level – and with this level of correlation, it’s rare to discover these activities all originating from the same toolkit leveraging DNS for command-and-control,” added Burton.

The Infoblox team is working around the clock to understand the DNS activity. Complex problems like this one highlight the need for an industry-wide intelligence-in-depth strategy where everyone contributes to understanding the entire scope of a threat.

Marketing Technology News: MarTech Interview with Alan Jacobson, Chief Data and Analytics Officer at Alteryx

Picture of PRNewswire

PRNewswire

PR Newswire, a Cision company, is the premier global provider of multimedia platforms and distribution that marketers, corporate communicators, sustainability officers, public affairs and investor relations officers leverage to engage key audiences. Having pioneered the commercial news distribution industry over 60 years ago, PR Newswire today provides end-to- end solutions to produce, optimize and target content -- and then distribute and measure results. Combining the world's largest multi-channel, multi-cultural content distribution and optimization network with comprehensive workflow tools and platforms, PR Newswire powers the stories of organizations around the world. PR Newswire serves tens of thousands of clients from offices in the Americas, Europe, Middle East, Africa and Asia-Pacific regions.

You Might Also Like