Post AY3Pw7LOlfduESvCs4 by knitcode@infosec.exchange
 (DIR) More posts by knitcode@infosec.exchange
 (DIR) Post #AY3Pw5xbud1JwOmh9c by knitcode@infosec.exchange
       2023-07-25T13:12:04Z
       
       0 likes, 1 repeats
       
       A few months ago I posted about a DNS malware C2 we had discovered— Decoy Dog — that was based on Pupy, had been undetected for over a year, and had some inexplicable behavior. We hoped the community would easily find the infected devices based on the info we provided. No suck luck. Since then we have used DNS to learn and an astonishing amount about the operations. Once we realized Decoy Dog was more advanced than Pupy, and we saw how the actors responded to our original relesases, we went back to the binaries. Today we released an indepth technical analysis of Decoy Dog, a Pupy research data set, and a new Yara rule.   This is the exec summary. Link to the full technical paper and other tidbits in the comments.  #dns #theatintel #malware #decoydog #rat #c2 #infoblox #datascience #threatresearch https://blogs.infoblox.com/cyber-threat-intelligence/decoy-dog-is-no-ordinary-pupy-distinguishing-malware-via-dns/
       
 (DIR) Post #AY3Pw7LOlfduESvCs4 by knitcode@infosec.exchange
       2023-07-25T13:12:54Z
       
       0 likes, 0 repeats
       
       Full technical paper here. You'll want a beverage or two. lol. https://www.infoblox.com/resources/whitepaper/decoy-dog-is-no-ordinary-pupy-distinguishing-malware-via-dns
       
 (DIR) Post #AY3Pw8bO5i1i8LPUQq by knitcode@infosec.exchange
       2023-07-25T13:14:26Z
       
       0 likes, 0 repeats
       
       One reason i love DNS so much for intel is that you have to infer what is going on… in malware, it’s hard to figure out, but it is all there
       
 (DIR) Post #AY3Pw8cS1ksSBduL5c by knitcode@infosec.exchange
       2023-07-25T13:14:03Z
       
       0 likes, 0 repeats
       
       I’m less worried about who is using it now than who is using it next.  We are monitoring 21 controllers.
       
 (DIR) Post #AY3Pw8iTfLhKUKj9U0 by knitcode@infosec.exchange
       2023-07-25T13:13:29Z
       
       0 likes, 0 repeats
       
       Looks like two developers. We’re putting money that the second stole it from the first. Malware folks could look at the code and weigh in.
       
 (DIR) Post #AY3Pw8kxW7gOc1t8Lo by knitcode@infosec.exchange
       2023-07-25T13:13:15Z
       
       0 likes, 0 repeats
       
       if someone wants to finish reverse engineering the samples and share it with the comunity, that’d be great ;) In particular, I think we understand how the “emergency domain” DGAs work, but i’d love to verify that.