Threat Intelligence Report
Date: August 19, 2024
Prepared by: David Brunsdon, Threat Intelligence - Security Engineer, HYAS
This year, the HYAS Threat Intelligence team has been tracking the use of the Steam gaming platform by threat actors to host command and control (C2) domain addresses, leveraging Steam user accounts to facilitate malicious activity. By inputting an IP or domain name into the Steam user account, the malware can fetch that particular user's details and receive a destination for C2, or exfiltration.
We came across a threat actor that went further to hide their C2 domains by using a simple form of encryption known as a “Substitution Cipher.” This blog post will detail how the cipher works, the IOCs we’ve identified, and email addresses used for domain registration by the actor.
A substitution cipher is one of the oldest and simplest methods of encryption. It involves substituting each letter in the plaintext (the original message) with another letter, number, or symbol according to a fixed system. The result is a ciphertext, which appears as a scrambled or encoded version of the original message. The key to deciphering the message is understanding the specific substitution rule that was applied.
(Image: Caesar Cipher Wheel, source: wikipedia.org)
In a simple substitution cipher, each letter of the plaintext is replaced by another letter. A common example is the Caesar cipher, named after Julius Caesar, who reportedly used this method to communicate securely. In a Caesar cipher, each letter is shifted a fixed number of places down or up the alphabet. For example, with a shift of 3:
A becomes D
B becomes E
C becomes F
and so on…
If the plaintext is "HELLO," a Caesar cipher with a shift of 3 would encode it as "KHOOR". This technique would also be referred to as ROT3, indicating a rotation of three letters.
If this is a simple substitution cipher, then we only need to determine that cipher from 26 possibilities. There are websites like CyberChef that can perform tasks like this, but why would we use them, when we can write python?
def decode_value(string):
output = ''
for rot in range(26):
for char in string:
if char.isalpha():
base = ord('a') if char.islower() else ord('A')
new_char = chr((ord(char) - base + rot) % 26 + base)
output += new_char
else:
new_char = char
output += new_char
print(f'-ROT{rot}: {output}')
output = ''
decode_value('epyyejdufixk.dsza')
1. Looping through rotations (rot in range(26)):
The code tests all possible Caesar cipher rotations from 0 to 25. Each rotation represents a possible shift of the alphabet.
2. Checking if the character is alphabetic (char.isalpha()):
The function checks if the character is a letter. If it is, it applies the rotation. If it’s not a letter (like a period .), it leaves the character unchanged.
3. Calculating the new character:
The calculation (ord(char) - base + rot) % 26 + base shifts the character by rot positions in the alphabet. The modulo operation % 26 ensures that the shifting wraps around the alphabet (e.g., shifting z by 1 would become a).
4. Resetting the output string:
After printing the result of each rotation, the output string is reset to start fresh for the next rotation.
When you run this function with the encoded string "epyyejdufixk.dsza", it will print all possible rotations, showing how the encoded text would look with each Caesar cipher shift. If successful, one of these outputs will match the original plaintext.
When the script is run, it provides an output of each possible rotation of letters from no change, to 25 shifts:
The output of the script reveals a valid TLD at ROT15: 'tenntysjuxmz[.]shop.' This discovery is significant as it uncovers a new IOC, potentially linked to ongoing malicious campaigns.
Our HYAS Insight threat intelligence solution identified a large number of Lumma stealer malware samples associated with this domain (771). It is protected by Cloudflare and is using their nameservers. The domain was registered with dynadot.com. What’s interesting is that this domain appears with other domains in malware, which HYAS Insight had some registration details on. We can pivot off the domain registrants we found to get a list of what domains have been registered.
yugipur-uje60@inbox[.]eu
nupimi-radi88@inbox[.]eu
There are several interesting patterns to identify in the domains and email addresses. The email addresses both use inbox[.]eu, and contain a seemingly random pattern, followed by a hyphen, then a few more characters and two numbers. The domains have a similar pattern of a word, which then proceeds into more random letters.
It’s also hard to ignore the rapid succession with which these domains were created. Together this suggests a level of automation in the generation of names and email addresses, likely through a domain generation algorithm. Along with sharing the same ROT15 technique, the consistent patterns in domain registrations and email addresses strongly suggest they are controlled by the same actor, likely of Russian origin. Further investigation and monitoring of these IOCs are recommended to mitigate potential threats.
|
Domain |
|
Registrar |
City |
Created |
|
flockkydwos.shop |
yugipur-uje60@inbox[.]eu |
pdr ltd. d/b/a publicdomainregistry.com |
moscow, |
2024-06-27T17:16:06Z |
|
flockkydwos.shop |
yugipur-uje60@inbox[.]eu |
pdr ltd. d/b/a publicdomainregistry.com |
moscow |
2024-06-27T17:16:06Z |
|
pedestriankodwu.xyz |
yugipur-uje60@inbox[.]eu |
pdr ltd. d/b/a publicdomainregistry.com |
moscow |
2024-06-27T17:16:02Z |
|
arritswpoewroso.shop |
yugipur-uje60@inbox[.]eu |
pdr ltd. d/b/a publicdomainregistry.com |
moscow |
2024-06-27T17:16:06Z |
|
penetratedpoopp.xyz |
yugipur-uje60@inbox[.]eu |
pdr ltd. d/b/a publicdomainregistry.com |
moscow |
2024-06-27T17:16:02Z |
|
closedjuruwk.shop |
yugipur-uje60@inbox[.]eu |
pdr ltd. d/b/a publicdomainregistry.com |
moscow |
2024-06-27T16:58:45Z |
|
groundsmooors.shop |
yugipur-uje60@inbox[.]eu |
pdr ltd. d/b/a publicdomainregistry.com |
moscow |
2024-06-27T16:58:54Z |
|
insticntclodwop.shop |
yugipur-uje60@inbox[.]eu |
pdr ltd. d/b/a publicdomainregistry.com |
moscow |
2024-06-27T16:58:45Z |
|
atonishingjwu.shop |
yugipur-uje60@inbox[.]eu |
pdr ltd. d/b/a publicdomainregistry.com |
moscow |
2024-06-27T16:58:51Z |
|
bishopinnv.shop |
yugipur-uje60@inbox[.]eu |
pdr ltd. d/b/a publicdomainregistry.com |
moscow |
2024-06-27T16:58:51Z |
|
toppledhaemw.shop |
yugipur-uje60@inbox[.]eu |
pdr ltd. d/b/a publicdomainregistry.com |
moscow |
2024-06-27T17:16:06Z |
|
rocketpotsww.shop |
yugipur-uje60@inbox[.]eu |
pdr ltd. d/b/a publicdomainregistry.com |
moscow |
2024-06-27T16:58:45Z |
|
potterryisiw.shop |
yugipur-uje60@inbox[.]eu |
pdr ltd. d/b/a publicdomainregistry.com |
moscow |
2024-06-27T16:59:01Z |
|
ellaboratepwsz.xyz |
yugipur-uje60@inbox[.]eu |
pdr ltd. d/b/a publicdomainregistry.com |
moscow |
2024-06-27T17:16:02Z |
|
swellfrrgwwos.xyz |
yugipur-uje60@inbox[.]eu |
pdr ltd. d/b/a publicdomainregistry.com |
moscow |
2024-06-27T17:16:02Z |
|
timetablepdodwp.shop |
yugipur-uje60@inbox[.]eu |
pdr ltd. d/b/a publicdomainregistry.com |
moscow |
2024-06-27T16:58:55Z |
|
innovationows.shop |
yugipur-uje60@inbox[.]eu |
pdr ltd. d/b/a publicdomainregistry.com |
moscow |
2024-06-27T17:16:06Z |
|
foodypannyjsud.shop |
yugipur-uje60@inbox[.]eu |
pdr ltd. d/b/a publicdomainregistry.com |
moscow |
2024-06-27T16:58:48Z |
|
towerxxuytwi.xyz |
yugipur-uje60@inbox[.]eu |
pdr ltd. d/b/a publicdomainregistry.com |
moscow |
2024-06-27T17:16:02Z |
|
palacecirwoos.shop |
yugipur-uje60@inbox[.]eu |
pdr ltd. d/b/a publicdomainregistry.com |
moscow |
2024-06-27T16:59:00Z |
|
contintnetksows.shop |
yugipur-uje60@inbox[.]eu |
pdr ltd. d/b/a publicdomainregistry.com |
moscow |
2024-06-27T16:59:04Z |
|
watchpotentioalbkewo.shop |
nupimi-radi88@inbox[.]eu |
pdr ltd. d/b/a publicdomainregistry.com |
moscow |
2024-06-27T11:52:41Z |
|
seeatatignowartws.shop |
nupimi-radi88@inbox[.]eu |
pdr ltd. d/b/a publicdomainregistry.com |
moscow |
2024-06-27T11:52:41Z |
|
extorteauhhwigw.shop |
nupimi-radi88@inbox[.]eu |
pdr ltd. d/b/a publicdomainregistry.com |
moscow |
2024-06-27T11:51:05Z |
|
extorteauhhwigw.shop |
nupimi-radi88@inbox[.]eu |
pdr ltd. d/b/a publicdomainregistry.com |
moscow |
2024-06-27T11:51:05Z |
|
bindstrawwypenumatiws.shop |
nupimi-radi88@inbox[.]eu |
pdr ltd. d/b/a publicdomainregistry.com |
moscow |
2024-06-27T11:54:42Z |
|
bedroomgrassydwus.shop |
nupimi-radi88@inbox[.]eu |
pdr ltd. d/b/a publicdomainregistry.com |
moscow |
2024-06-27T11:52:41Z |
|
assignmentygassdyw.shop |
nupimi-radi88@inbox[.]eu |
pdr ltd. d/b/a publicdomainregistry.com |
moscow |
2024-06-27T11:54:45Z |
|
bitchsafettyudjwu.shop |
nupimi-radi88@inbox[.]eu |
pdr ltd. d/b/a publicdomainregistry.com |
moscow |
2024-06-27T11:51:03Z |
|
broccolydecidesrbeb.shop |
nupimi-radi88@inbox[.]eu |
pdr ltd. d/b/a publicdomainregistry.com |
moscow |
2024-06-27T11:50:59Z |
|
eaglecheastdiesow.shop |
nupimi-radi88@inbox[.]eu |
pdr ltd. d/b/a publicdomainregistry.com |
moscow |
2024-06-27T11:52:40Z |
|
dueamuggyshkowsv.shop |
nupimi-radi88@inbox[.]eu |
pdr ltd. d/b/a publicdomainregistry.com |
moscow |
2024-06-27T11:54:42Z |
|
piedsiggnycliquieaw.shop |
nupimi-radi88@inbox[.]eu |
pdr ltd. d/b/a publicdomainregistry.com |
moscow |
2024-06-27T11:51:15Z |
|
exporttearryliveedko.shop |
nupimi-radi88@inbox[.]eu |
pdr ltd. d/b/a publicdomainregistry.com |
moscow |
2024-06-27T11:52:43Z |
|
citizencenturygoodwk.shop |
nupimi-radi88@inbox[.]eu |
pdr ltd. d/b/a publicdomainregistry.com |
moscow |
2024-06-27T11:51:16Z |
|
circulatebilebrattwko.shop |
nupimi-radi88@inbox[.]eu |
pdr ltd. d/b/a publicdomainregistry.com |
moscow |
2024-06-27T11:51:08Z |
|
invisibledovereats.shop |
nupimi-radi88@inbox[.]eu |
pdr ltd. d/b/a publicdomainregistry.com |
moscow |
2024-06-27T11:52:41Z |
Disclaimer: This Threat Intelligence Report is provided “as is” and for informational purposes only. HYAS disclaims all warranties, express or implied, regarding the report’s completeness, accuracy, or reliability. You are solely responsible for exercising your own due diligence when accessing and using this Report's information. The analyses expressed in this Report reflect our current understanding of available information based on our independent research using the HYAS Insight platform. The Report’s inclusion of any companies, organizations, or ASNs does not imply any wrongdoing on their part; it is simply an indication of where digital threat activities have been observed. HYAS reserves the right to update the Report as additional information is made known to us.
An efficient and expedient investigation is the best way to protect your enterprise. HYAS Insight threat intelligence provides threat and fraud response teams with unparalleled visibility into everything you need to know about the attack.This includes the origin, current infrastructure being used and any infrastructure.
Read how the HYAS Threat Intelligence team uncovered and mitigated a Russian-based cyber attack targeting financial organizations worldwide.
Want more threat intel on a weekly basis?
Follow HYAS on LinkedIn
Follow HYAS on X
Sign up for the (free!) HYAS Insight Intel Feed
The Prevalence of DarkComet In Dynamic DNS
Caught in the Act: StealC, the Cyber Thief in C
HYAS Protects Against Polyfill.io Supply Chain Attack with DNS Safeguards
StealC & Vidar Malware Campaign Identified
Polymorphic Malware Is No Longer Theoretical: BlackMamba PoC.
Polymporphic, Intelligent and Fully Autonomous Malware: EyeSpy PoC.