At the end of April,
Infoblox’s Threat Intelligence Group was the first to discover a toolkit, coined “Decoy Dog,” and is collaborating with other security vendors, as well as customers, to disrupt this activity, identify the attack vector, and secure global networks. The critical insight is that DNS anomalies measured over time not only surfaced the RAT, but ultimately tied together seemingly independent C2 communications. A technical analysis of Infoblox’s findings is
here.
The following are the C2 domains that are known as of now, and we urge organizations to block: claudfront[.]net, allowlisted[.]net, atlas-upd[.]com, ads-tm-glb[.]click, cbox4[.]ignorelist[.]com, hsdps[.]cc
Infoblox Threat Intelligence catch covert communications and emerging threats: Such discoveries highlight the inherent gaps when it comes to threat intelligence and why deep expertise in DNS intelligence is needed to fill in the gaps. The Infoblox Threat Intelligence Group specializes in the discovery of threats in DNS data, conducting original research, and performing customer-relevant threat hunting, specifically generating unique intelligence from customer data. The team uses a wide array of data and deep technical expertise, specifically expertise in DNS, to identify emerging and persistent threats. This enables Infoblox to get ahead of open-source threat intelligence feeds, and protect our customers as early as possible.The results of this discovery and curation form the basis of Infoblox Response Policy Zones (RPZs) that are used to protect customer networks during DNS resolution (blocking at the DNS layer) as well as for use in third party security tools via seamless threat intelligence data sharing.
Protective DNS as a foundational strategy: Using Protective DNS solutions, like BloxOne Threat Defense, to detect and block communications with such malicious/C&C domains immediately helps minimize risk from suspicious/emergent domains.
Recommended action for BloxOne Threat Defense customers: If you have not already implemented the suspicious domain feeds, take action to apply this crucial data set to mitigate the risk of this and other related C2 attacks.
