Russian organizations are facing cyber attacks delivering a Windows version of malware known as Decoy Dog.
According to cybersecurity company Positive Technologies, these attacks are part of an operation named Lahat, carried out by an advanced persistent threat group named HellHounds.
Researchers Aleksandr Grigorian and Stanislav Pyzhov stated, “The Hellhounds group infiltrates selected organizations and maintains access to their networks undetected for prolonged periods. They use various tactics, including compromising vulnerable web services and exploiting trusted relationships.”
HellHounds was initially identified by Positive Technologies in November 2023 after a power company in Russia fell victim to the Decoy Dog trojan. The group has targeted 48 entities in Russia, including IT firms, government agencies, space industry companies, and telecom providers.
Evidence suggests that Russian organizations have been under attack by this threat actor since at least 2021, with the development of the malware starting as early as November 2019.
Decoy Dog, a customized version of the open-source Pupy RAT, was revealed in April 2023. It utilizes DNS tunneling for communication with its command-and-control server to control infected hosts remotely.
The malware can transfer victims between controllers, enabling the threat actors to maintain communication with compromised machines and remain hidden for extended periods.
Although the attacks mainly target Russia and Eastern Europe and primarily focus on Linux systems, there are hints of a Windows version of Decoy Dog in the code. Infoblox mentioned the existence of a potential Windows client in July 2023.
Positive Technologies’ latest findings confirm the presence of a Windows version of Decoy Dog, delivered to critical hosts through a loader using specific infrastructure for decryption.
Furthermore, HellHounds are using a modified version of 3snake to extract credentials from Linux hosts.
Positive Technologies revealed that the threat actor gained initial access to victims’ infrastructure in at least two instances through a contractor using compromised Secure Shell (SSH) login credentials.
The researchers stated, “The HellHounds group has maintained a presence within critical Russian organizations for an extended period, despite most of their toolkit being based on open-source projects. They have adapted it effectively to evade detection and operate covertly within compromised entities.”