The malicious DOGCALL is a Trojan that might use disguises to invade the targeted operating system. Speaking of the targets, it appears that the masterminds behind this malware have created it to attack high-level institutions and organizations that are most likely to affect a specific government. It appears that, initially, this malware was used to perform attacks against the government of South Korea, but it has been implanted in the attacks against the governments of Japan, Vietnam, and the Middle East. It is possible that new targets will be set in the future. Considering that the attackers appear to originate from North Korea, it is most likely that the targets would be the enemies of the state. Regardless of the situation, it is a must to delete DOGCALL if it slithers in. Unfortunately, removing this malware is the hard part. It is much easier to secure the operating system against attackers.
If DOGCALL is detected on an operating system, there is a good chance that other infections exist as well. The group that controls this malware is known to employ other types of malware too. For example, a malware downloader might be the initial infection, and it could be used to download keyloggers, backdoors, and RATs (remote access tools) that DOGCALL is classified as. As you can tell from the name of the classification, this type of malware grants remote access, and if cybercriminals can access the system without notice, they might have a better understanding of it and an easier way of achieving whatever it is that they want. According to our research team, the malicious RAT – which, by the way, is sometimes known by the name “ROKRAT” – can capture screenshots. This, for example, could be used to record the credentials that are entered during login as well as capture sensitive and important information. When a screenshot is created, information about the system (e.g., OS version, computer name, user name) is attached to it and then sent to the attackers.
DOGCALL has been active since at least 2012, and so it is no wonder that this malware has evolved. In the past, this malware used Twitter for C&C communication, and it also employed the Mediafire cloud storage to send information to. Most recently, information was being sent to Dropbox, pCloud, and Yandex cloud storage accounts that, undoubtedly, were owned by cybercriminals. This is where the created screenshots were sent so that cybercriminals could analyze them and extract the information that they needed. Is it possible that the attackers would use DOGCALL to drop and execute files hidden in the same cloud storage accounts? That is a possibility, which is yet another reason to inspect the operating system and check for malware if the RAT is discovered. Unfortunately, traditional malware detection measures might be helpless against this RAT because it is capable of bypassing detection. Considering that government-connected systems are likely to be protected, it is shocking that this malware could have slithered in at all, and it is unnerving that it can, potentially, stay undetected.
It is hard to say where DOGCALL could have been dropped, but it is important to find the launcher file because, most likely, this is where the threat operates from. Deleting the infection is only one part of the job. It is also important to clear the system from other dangerous threats that are likely to exist. Most important, of course, is that the system is protected. If the RAT got in, it is likely that the security of that system needs to be overhauled. Once the system is protected and you have DOGCALL removed, stay away from spam emails, malicious downloaders, misleading pop-ups, and fake alerts to keep yourself guarded. Also, do not forget to patch security vulnerabilities by installing all updates and to secure your system by implementing trustworthy anti-malware software.