Cybersecurity researchers from Infoblox’s Threat Intelligence Group have found a new remote access trojan (RAT) lurking in corporate networks around the world and claim it’s been operating in secret for roughly a year.
The researchers named the RAT Pupy, and were able to trace its toolkit back to Russia, and now believe a state-sponsored attacker is behind the campaign.
In a press release, Infoblox’s researchers said they found a critical security threat communicating with a malware (opens in new tab) toolkit dubbed “Decoy Dog”.
Russian IP
This toolkit communicates with a Russian IP and targets organizations around the world – the US, Europe, South America, and Asia. Companies being targeted with this new RAT include those in technology, healthcare, energy, financial and other sectors.
The RAT is “not your generic consumer device threat”, mostly because of how difficult it was to detect any activity on the compromised endpoints.
“This C2 communication was very hard to find, due to a small amount of data queries in a large pool of DNS data,” the researchers claim. “This RAT uses DNS as a C2 channel through which the malicious actor has control of the internal devices.”
Pupy is an open-source project, the researchers further claim, saying that it’s been “consistently associated” with nation-state actors.
The identity of the attackers, as well as the nature of the compromise, is unknown at the time, Infoblox said, and added that it’s currently working with other cybersecurity vendors to uncover these details, as well.
“Organisations with protective DNS are able to block these domains immediately, mitigating their risk while they continue to investigate further,” the report concludes. Here’s a list of C2 domains that should be blocked, to mitigate potential risks
- claudfront[.]net
- allowlisted[.]net
- atlas-upd[.]com
- ads-tm-glb[.]click
- cbox4[.]ignorelist[.]com
- hsdps[.]cc
- Here are the best firewalls (opens in new tab) around to keep you safe
English
Arabic
Belarusian
Bengali
Bosnian
Bulgarian
Chinese (Simplified)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Gujarati
Hausa
Hebrew
Hindi
Hmong
Hungarian
Igbo
Indonesian
Italian
Japanese
Javanese
Kazakh
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latvian
Lithuanian
Macedonian
Malagasy
Norwegian
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Ukrainian
Vietnamese
Yoruba