Cybersecurity researchers from Infoblox’s Threat Intelligence Group have found a new remote access trojan (RAT) lurking in corporate networks around the world and claim it’s been operating in secret for roughly a year.
The researchers named the RAT Pupy, and were able to trace its toolkit back to Russia, and now believe a state-sponsored attacker is behind the campaign.
In a press release, Infoblox’s researchers said they found a critical security threat communicating with a malware toolkit dubbed “Decoy Dog”.
Russian IP
This toolkit communicates with a Russian IP and targets organizations around the world - the US, Europe, South America, and Asia. Companies being targeted with this new RAT include those in technology, healthcare, energy, financial and other sectors.
The RAT is “not your generic consumer device threat”, mostly because of how difficult it was to detect any activity on the compromised endpoints.
“This C2 communication was very hard to find, due to a small amount of data queries in a large pool of DNS data,” the researchers claim. “This RAT uses DNS as a C2 channel through which the malicious actor has control of the internal devices.”
Pupy is an open-source project, the researchers further claim, saying that it’s been “consistently associated” with nation-state actors.
The identity of the attackers, as well as the nature of the compromise, is unknown at the time, Infoblox said, and added that it’s currently working with other cybersecurity vendors to uncover these details, as well.
“Organisations with protective DNS are able to block these domains immediately, mitigating their risk while they continue to investigate further,” the report concludes. Here’s a list of C2 domains that should be blocked, to mitigate potential risks
- claudfront[.]net
- allowlisted[.]net
- atlas-upd[.]com
- ads-tm-glb[.]click
- cbox4[.]ignorelist[.]com
- hsdps[.]cc
- Here are the best firewalls around to keep you safe
