Analysis Summary

Cyberattacks targeting Russian enterprises have been identified as distributing a Windows variant of malware known as Decoy Dog. Under the moniker Operation Lahat, the researchers are monitoring the activity cluster and linking it to the HellHounds advanced persistent threat (APT) group.

The Hellhounds APT enters networks of organizations they choose, breaches them, and stays hidden for years. The organization uses trusted relationships and vulnerable online services as its main compromise vectors. The researchers first published information about HellHounds in late November 2023, in response to the Decoy Dog malware compromising an undisclosed power company. Thus far, 48 confirmed victims in Russia have been identified, comprising government agencies, telecom providers, IT corporations, and space sector firms.

The development of the malware began as early as November 2019, and there is evidence that the threat actor has been targeting Russian companies since at least 2021. In April 2023, researchers discovered that Decoy Dog, a customized version of the open-source Pupy remote access trojan, used DNS tunneling to communicate with its command-and-control (C2) server and remotely take control of compromised sites.

The malware's capacity to transfer victims from one controller to another is a noteworthy characteristic that enables threat actors to keep in touch with compromised systems and stay undetected for lengthy periods. Although researchers hinted at a potential Windows version, attacks utilizing the sophisticated toolset have only targeted Linux systems and have only been observed in Russia and Eastern Europe.

While all of the current samples are aimed at Linux, references to Windows in the code suggest that an updated Windows client with the new Decoy Dog features exists. According to the most recent research, there is almost certainly a Windows counterpart of Decoy Dog. It is installed on mission-critical hosts via a loader that uses specialized infrastructure to obtain the key needed to decrypt the payload.

Subsequent investigation has revealed that HellHounds uses an altered version of 3snake, another open-source application, to get credentials on Linux computers. The adversary used compromised Secure Shell (SSH) login credentials in at least two incidents to obtain initial access to the victims' infrastructure through a contractor.

The attackers have been able to stay within important Russian organizations for a considerable amount of time. The Hellhounds toolkit is almost entirely derived from open-source projects, but the attackers have done a respectable job of tweaking it to get beyond antivirus protection and maintain a long-term clandestine presence inside affected firms.

Impact

• Credential Theft
• Unauthorized Access
• Exposure of Sensitive Data

Indicators of Compromise

Domain Name

• nsdps.cc
• rcsmf100.net
• dw-filter.com
• net-sensors.net

IP

• 31.184.204.42

MD5

• 7e0c85852b2cd932626fcf284ca72978
• 2c016c91181d4182a16845725bf0b315
• 4479cc492fa443af1461ebd768dcd1c3
• ef6c7eb5518d58bc0b921d37265b0db4
• 3dc4391eb6170c26336938839246022f
• 321e4b64bcedc76a89cca86853d30c09
• 9200c356b485ca61ec88258f0800657a
• b8932033b53ca08967100c58e12126be

SHA-256

• 9a977571296ae1548c32df94be75eec2a414798bee7064b0bf44859e886a0cfa
• 4d30fd05c3bdac792e0a011892e2cad02818436484e81b6de6a02928149bc92d
• e27d1bab901c1bb414d0849c5c132faa8c7c6a61357d9627a7d2785270034793
• 31b21de71f2162e8da1be8483f3a5d019b0c817832bc11a9f307b6b36821ca54
• 18d4a3a92b24b2ad75115a44fe2727081316eca346499a4aa00aa13713cf00cb
• 9a96c7b0595f628027c4f4caeece475ef742c420adf2fde8df934c6ce6481fb5
• d9a8151aff9d1c061826a9812ed9a6600805c74a519df333513fd4a79d2d4e61
• 07fe71b256c1c913b0f3e3fa67e53d21a3d1f499beb4e550597f5743797a77c4

SHA-1

• c8ccf6e20cde537f3da64aebd1f80b144a4c8e0a
• 2be016b6b0dd9d57f2985a6ad0df85f5538d9623
• 5ebf1dbcd5e16bcd4695777a7931ff4dc13d586a
• c0fd9928b1755c047529a0b91517882bf74bc5e4
• c4ef4c518c44eda803200b8f9d080c0f1ff3ed15
• b1fceda9a56d17fd1520105a6d52fdf868c4cead
• dc76c7586e1946ac120111d3a35937526a7cf140
• 6f30131181d81129c2f59d050214f47a6eedabbe

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Ensure all operating systems and software are up to date with the latest security patches.
• Employ reliable antivirus and antimalware software to detect and block known threats.
• Regularly update these tools to maintain the latest threat intelligence.
• Implement IDPS to detect and prevent unusual network activity, system behavior, or similar threats.
• Enable two-factor authentication (2FA) on your accounts adds an extra layer of security and can help prevent unauthorized access even if your login credentials have been stolen.
• Regularly backing up your important data can help ensure that you don’t lose any critical information in the event of a malware infection or other data loss event.
• Be wary of emails, attachments, and links from unknown sources. Also, avoid downloading software from untrusted sources or clicking on suspicious ads or pop-ups.
• Use email filtering solutions to block malicious attachments and links that may deliver malware to users via phishing emails.
• Segment your network to limit lateral movement for attackers.
• Employ application whitelisting to only allow approved software to run on systems, reducing the risk of unauthorized applications being executed.
• Implement robust monitoring solutions to detect any unusual or suspicious activities, such as unauthorized access attempts or data exfiltration. Establish an effective incident response plan to respond to and mitigate any potential breaches quickly.
• Make sure all of your software, including your operating system and applications, is up-to-date with the latest security patches. This can help prevent vulnerabilities that info-stealers and other types of malware could exploit.