Enterprise networks are being targeted by a sneaky new malware

Magnifying glass enlarging the word 'malware' in computer machine code
(Image credit: Shutterstock)

Cybersecurity researchers from Infoblox’s Threat Intelligence Group have found a new remote access trojan (RAT) lurking in corporate networks around the world and claim it’s been operating in secret for roughly a year. 

The researchers named the RAT Pupy, and were able to trace its toolkit back to Russia, and now believe a state-sponsored attacker is behind the campaign.

In a press release, Infoblox’s researchers said they found a critical security threat communicating with a malware toolkit dubbed “Decoy Dog”. 


Protecting your business from the biggest threats online

Protecting your business from the biggest threats online
Perimeter 81's Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.

Preferred partner (What does this mean?) 

Russian IP

This toolkit communicates with a Russian IP and targets organizations around the world - the US, Europe, South America, and Asia. Companies being targeted with this new RAT include those in technology, healthcare, energy, financial and other sectors.

The RAT is “not your generic consumer device threat”, mostly because of how difficult it was to detect any activity on the compromised endpoints. 

“This C2 communication was very hard to find, due to a small amount of data queries in a large pool of DNS data,” the researchers claim. “This RAT uses DNS as a C2 channel through which the malicious actor has control of the internal devices.”

Pupy is an open-source project, the researchers further claim, saying that it’s been “consistently associated” with nation-state actors. 

The identity of the attackers, as well as the nature of the compromise, is unknown at the time, Infoblox said, and added that it’s currently working with other cybersecurity vendors to uncover these details, as well.

“Organisations with protective DNS are able to block these domains immediately, mitigating their risk while they continue to investigate further,” the report concludes. Here’s a list of C2 domains that should be blocked, to mitigate potential risks

  • claudfront[.]net
  • allowlisted[.]net
  • atlas-upd[.]com
  • ads-tm-glb[.]click
  • cbox4[.]ignorelist[.]com
  • hsdps[.]cc
TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.