A cyber security firm named Positive Technologies is monitoring a series of cyber-attacks called Operation Lahat, which has been linked to an advanced persistent threat (APT) group called HellHounds.
According to security experts Aleksandr Grigorian and Stanislav Pyzhov, the Hellhounds group infiltrates chosen organizations and establishes a presence in their networks without being detected for extended periods. This is achieved through various methods, ranging from exploiting vulnerable web services to exploiting trusted relationships.
HellHounds were initially observed by the corporation in late November 2023 after an unnamed power company fell victim to the Decoy trojan. The group has targeted 48 victims in Russia so far, which include IT companies, government entities, space industry companies, and telecommunication.
There is proof suggesting that the threat actor has been focusing on Russian businesses since at least 2021, with the malware’s creation dating back to November 2019.
Information regarding Decoy Dog, a tailored version of the publicly available Pupy RAT, surfaced in April 2023 when Infoblox identified the malware’s utilization of DNS tunneling for communicating with its command-and-control server to manage infected systems.
The malware has a unique feature that lets it switch victims between controllers, enabling threat actors to stay in touch with compromised computers unnoticed for long periods. The attacks linked to this advanced toolkit have primarily targeted Russia and Eastern Europe, focusing exclusively on Linux systems. However, there are hints from Infoblox that a Windows version might be in the works. In July 2023, Infoblox mentioned the presence of references to Windows in the code, suggesting an updated Windows client with new Decoy Dog capabilities, even though the current samples are aimed at Linux.
The most recent discoveries from Positive Technologies strongly suggest the existence of a matching of Decoy Dog designed for Windows. This version is distributed to critical hosts through a loader that uses specialized infrastructure to acquire the key needed to decrypt the payload. A deeper investigation revealed that HellHounds have adapted a version of the open-source program 3snake to steal credentials from Linux hosts. Positive Technologies also reported that in at least two incidents, the adversary successfully infiltrated victims’ infrastructure by exploiting compromised Secure Shell (SSH) login credentials obtained through a contractor. The researchers noted that the attackers have maintained a persistent presence within crucial organizations in Russia for some time. Despite mostly using open-source projects, the Hellhounds have effectively customized their toolkit to evade malware defenses and establish long-lasting covert operations within compromised entities.
