EXECUTIVE SUMMARY:
The Detour Dog malware campaign has significantly evolved, transitioning from simple website redirects to complex malware distribution via DNS infrastructure. This threat leverages DNS TXT records to hijack websites globally, facilitating the stealthy deployment of the Strela Stealer information-stealing malware. The campaign's low-profile nature and reliance on DNS-based delivery mechanisms make it challenging to detect and mitigate using traditional security measures.
Detour Dog's approach involves embedding malicious payloads within DNS TXT records, which are then retrieved by compromised websites. These sites serve as conduits for delivering the Strela Stealer malware, facilitating the exfiltration of sensitive information. Notably, the malware has been associated with other malicious tools, including the StarFish backdoor, REM Proxy, and Toseef botnet, forming a complex attack chain. The Strela Stealer is primarily distributed through spam emails, with the malware's infrastructure being hosted on domains controlled by Detour Dog.
The Detour Dog campaign exemplifies a significant shift in cyberattack methodologies, utilizing DNS infrastructure for malware distribution and command-and-control operations. Organizations should implement DNS-layer security measures, monitor for unusual DNS traffic patterns, and ensure that their DNS configurations are secure to defend against such sophisticated threats. Given the evolving nature of this campaign, continuous vigilance and adaptive security strategies are essential to mitigate potential risks.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Execution | T1204.002 | User Execution | Malicious File |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Credential Access | T1003.002 | OS Credential Dumping | Security Account Manager |
| Command and Control | T1071.004 | Application Layer Protocol | DNS |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
MBC MAPPING:
| Objective | Behavior ID | Behavior |
| Anti-Behavioral Analysis | B0001 | Debugger Detection |
| Anti-Static Analysis | B0032 | Executable Code Obfuscation |
| Collection | E1113 | Screen Capture |
| F0002 | Keylogging | |
| Command and Control | B0030 | C2 Communication |
| Defense Evasion | F0001 | Software Packing |
| Discovery | B0013 | Analysis Tool Discovery |
| E1082 | System Information Discovery | |
| Exfiltration | E1020 | Automated Exfiltration |
| Persistence | F0012 | Registry Run Keys / Startup Folder |
REFERENCES:
The following reports contain further technical details: