Russian enterprises are at the receiving end of cyber assaults that have been identified to deploy a Windows version of a virus dubbed Decoy Dog.
Cybersecurity firm Positive Technologies is following the activity cluster under the moniker Operation Lahat, attributing it to an advanced persistent threat (APT) organization dubbed HellHounds.
"The Hellhounds group compromises organizations they select and gain a foothold on their networks, remaining undetected for years," security experts Aleksandr Grigorian and Stanislav Pyzhov stated. "In doing so, the group leverages primary compromise vectors, from vulnerable web services to trusted relationships."
HellHounds was initially recorded by the business in late November 2023 after the breach of an undisclosed power utility with the Decoy Dog trojan. It's reported to have infected 48 victims in Russia to far, including IT organizations, governments, space sector enterprises, and telecom carriers.
There is evidence showing that the threat actor has been targeting Russian organizations since at least 2021, with the creation of the malware beginning as far back as November 2019.
Details of Decoy Dog, a modified derivative of the open-source Pupy RAT, surfaced in April 2023, when Infoblox revealed the malware's usage of DNS tunneling for communications with its command-and-control (C2) server to remotely manipulate affected systems.
A major characteristic of the malware is its capacity to shift victims from one controller to another, enabling the threat actors to retain connection with infected PCs and stay hidden for lengthy periods of time.
Attacks employing the sophisticated toolkit have been mostly restricted to Russia and Eastern Europe, not to mention solely single out Linux computers, but Infoblox hinted at the prospect of a Windows version.
"References to Windows in the code hint toward the existence of an updated Windows client that includes the new Decoy Dog capabilities, although all of the current samples are targeting Linux," Infoblox stated back in July 2023.
The recent results from Positive Technologies all but prove the availability of a similar version of Decoy Dog for Windows, which is delivered to mission-critical hosts by way of a loader that leverages specialized infrastructure to retrieve the key for decrypting the payload.
Further study has identified HellHounds' usage of a modified version of another open-source application known as 3snake to collect credentials on systems running Linux.
Positive Technologies reported that in at least two cases, the adversary managed to acquire initial access to victims' infrastructure via a contractor using hacked Secure Shell (SSH) login credentials.
"The attackers have long been able to maintain their presence inside critical organizations located in Russia," the experts added.
"Although virtually all of the Hellhounds toolkit is based on open-source projects, the attackers have done a fairly good job modifying it to bypass malware defenses and ensure prolonged covert presence inside compromised organizations."
