04 June 2024NewsroomCyber ​​Attack / Malware

Deco Dog Trojan

Russian organizations on the receiving end of cyber attacks have been found to be delivering a Windows version of a malware. Decoy Dog.

Cybersecurity company Positive Technologies is tracking a cluster of activity called Operation Lahat, attributing it to an Advanced Persistent Threat (APT) group. HellHounds.

“Hellhounds group compromises organizations they choose and gain access to their networks, undetected for years,” security researchers Alexander Grigorin and Stanislav Pizov. said. “By doing so, the group exploits key compromise vectors from vulnerable web services to trusted relationships.”

Cyber ​​security

There was HellHounds Documentary first After the firm compromised an unnamed power company’s Decoy Dog trojan in late November 2023. It has confirmed to have compromised 48 victims in Russia so far, including IT companies, governments, space industry firms, and telecom providers.

There is evidence indicating that the threat actor has been targeting Russian companies since at least 2021, with malware development continuing as of November 2019.

Details about Decoy Dog, a custom variant of Open Source RAT Bottomsemerged in April 2023, when Infoblox Exposed The malware uses DNS tunneling to communicate with its command and control (C2) server to remotely control infected hosts.

A notable feature of the malware is its ability to move victims from one controller to another, allowing threat actors to maintain communications with compromised machines and remain invisible for long periods of time.

Attacks involving the latest toolkit have been mainly limited to Russia and Eastern Europe, not to mention Linux systems in particular, although Infoblox pointed to the possibility of a Windows version.

Infoblox noted in July 2023 that “references to Windows in the code point to the existence of an updated Windows client that includes new decoydog capabilities, although all current samples are targeting Linux.” “

Positive Technologies’ latest findings confirm the existence of a similar version of Decoy Dog for Windows, delivered by a loader to mission-critical hosts with dedicated infrastructure to obtain the key to decrypt the payload. Employs

Further analysis revealed the use of a modified version of HellHounds, another open source program 3 Snakes To obtain credentials on hosts running Linux.

Cyber ​​security

In at least two instances, the adversary gained initial access to the victims’ infrastructure through a contractor using compromised Secure Shell (SSH) login credentials, Positive Technologies said.

The attackers have long been able to maintain a presence inside key organizations based in Russia, the researchers said.

“Although virtually all of the Hellhounds toolkit is based on open source projects, attackers have done a pretty good job of modifying it to bypass malware defenses and ensure a long stealth presence within compromised organizations. “

Did you find this article interesting? Follow us. Twitter And LinkedIn To read more exclusive content we post.

Source link