Russian Firms Under Cyberattack: HellHounds APT Deploys Decoy Dog Malware
Gain valuable insights into the cyber threats Russian companies are facing from the HellHounds group, which is using the Decoy Dog malware. Take immediate action to strengthen the security of the company against sophisticated cyberattacks.
- Cybersecurity researchers discovered that sophisticated Decoy Dog malware connected to the HellHounds APT group was targeting Russian companies.
- Using Decoy Dog malware versions, HellHounds hacked 48 Russian organizations, highlighting the critical necessity for strong cybersecurity defenses.
Researchers have identified cyberattacks on Russian firms involving a sophisticated Windows variant of Decoy Dog malware. These attacks are a part of “Operation Lahat,” linked to the HellHounds advanced persistent threat (APT) group. Using web service vulnerabilities and trusted network connections, HellHounds specializes in stealthily penetrating targeted enterprises and maintaining prolonged access. Their operations were initially revealed in November 2023 following the detection of the Decoy Dog trojan within a power company.
HellHounds has breached 48 Russian institutions, including telecom providers, IT corporations, government agencies, and space industry businesses. The company has been developing malware since November 2019, so it appears that it has been focusing on Russian businesses, at least since 2021.
Based on the open-source Pupy RAT, Decoy Dog uses DNS tunneling to connect to its command-and-control (C2) servers to grant remote access to compromised systems. Its key feature involves the seamless transfer between controllers, ensuring continuous connectivity and avoiding detection.
See more: Urgent Call To Protect OT Devices as Cyber Attacks Surge, Warns Microsoft
The Decoy Dog malware attacks initially targeted Linux PCs in Russia and Eastern Europe. However, in July 2023, despite hints from a cybersecurity business, a Windows variant was later discovered. The Windows version is delivered via a loader that exploits specific infrastructure to acquire the decryption key for the payload. Further investigation found that HellHounds utilizes a modified version of 3snake to obtain login credentials on Linux systems. Attackers gained early access by acquiring Secure Shell (SSH) login details from contractors at least twice.
Security researchers have unveiled the group’s capability to sustain a persistent presence within crucial organizations. HellHounds modifies open-source tools to bypass malware defenses, ensuring extended covert operations. Robust cybersecurity measures are necessary, especially for high-risk industries facing the ongoing threat from HellHounds.
As cyberattacks become more intricate and frequent, enterprises must adopt a proactive approach to enhance their cybersecurity defenses and mitigate the risks of these evolving threats.
MORE ON CYBER SECURITY
- Account Takeover Attacks Overtake Ransomware as Leading Security Concern for Organizations
- Atlassian Confluence Users Urged to Patch Critical Security Bug
- Ransomware Attack Disrupts Pathology Services at London Hospitals
- BBC Pension Scheme Data Breach Exposes Personal Info
- Deceptive Stack Overflow Account Spreads Malware Disguised as Python Package
