HYAS Blog

Modern Malware | Echoes of Rome: Leveraging Ancient Tactics

Written by David Brunsdon | August 19, 2024

Threat Intelligence Report

Date: August 19, 2024

Prepared by: David Brunsdon, Threat Intelligence - Security Engineer, HYAS

This year, the HYAS Threat Intelligence team has been tracking the use of the Steam gaming platform by threat actors to host command and control (C2) domain addresses, leveraging Steam user accounts to facilitate malicious activity. By inputting an IP or domain name into the Steam user account, the malware can fetch that particular user's details and receive a destination for C2, or exfiltration.

We came across a threat actor that went further to hide their C2 domains by using a simple form of encryption known as a “Substitution Cipher.” This blog post will detail how the cipher works, the IOCs we’ve identified, and email addresses used for domain registration by the actor.

What Is a Substitution Cipher?

A substitution cipher is one of the oldest and simplest methods of encryption. It involves substituting each letter in the plaintext (the original message) with another letter, number, or symbol according to a fixed system. The result is a ciphertext, which appears as a scrambled or encoded version of the original message. The key to deciphering the message is understanding the specific substitution rule that was applied.



(Image: Caesar Cipher Wheel, source: wikipedia.org)

Timeless Tactics: The Efficiency of Simplicity

In a simple substitution cipher, each letter of the plaintext is replaced by another letter. A common example is the Caesar cipher, named after Julius Caesar, who reportedly used this method to communicate securely. In a Caesar cipher, each letter is shifted a fixed number of places down or up the alphabet. For example, with a shift of 3:

A becomes D
B becomes E
C becomes F
and so on…

If the plaintext is "HELLO," a Caesar cipher with a shift of 3 would encode it as "KHOOR". This technique would also be referred to as ROT3, indicating a rotation of three letters.

Examination of the String

epyyejdufixk[.]dsza
When presented with a string believed to be encoded or encrypted data, it is important to closely study the characteristics of the string to attempt to identify what method was used. If the value has been encoded, then there is a real possibility that it can be undone. If it’s encrypted, one would probably need to find (or guess) the secret key.

When we examine the string ‘epyyejdufixk.dsza,’ we noticed several important characteristics:

1. It’s all lower-case English alphabet.

2. Hex is a popular method of encoding data, but hex is restricted to 0-9, A-F. It’s definitely not hex.

3. Base64 uses a fairly even mix of lowercase, uppercase, and numeric values, the latter two being non-existent in our string. It’s probably not base64.

4. From previous experience, we already suspected a domain or IP could be used here. With the location of the ‘.’, this could be a domain name that has a four character top-level domain (TLD).

If this is a simple substitution cipher, then we only need to determine that cipher from 26 possibilities. There are websites like CyberChef that can perform tasks like this, but why would we use them, when we can write python?

def decode_value(string):
output = ''
for rot in range(26):
for char in string:
if char.isalpha():
base = ord('a') if char.islower() else ord('A')
new_char = chr((ord(char) - base + rot) % 26 + base)
output += new_char
else:
new_char = char
output += new_char
print(f'-ROT{rot}: {output}')
output = ''

decode_value('epyyejdufixk.dsza')


Explanation of the Code

1. Looping through rotations (rot in range(26)):
The code tests all possible Caesar cipher rotations from 0 to 25. Each rotation represents a possible shift of the alphabet.

2. Checking if the character is alphabetic (char.isalpha()):
The function checks if the character is a letter. If it is, it applies the rotation. If it’s not a letter (like a period .), it leaves the character unchanged.

3. Calculating the new character:
The calculation (ord(char) - base + rot) % 26 + base shifts the character by rot positions in the alphabet. The modulo operation % 26 ensures that the shifting wraps around the alphabet (e.g., shifting z by 1 would become a).

4. Resetting the output string:
After printing the result of each rotation, the output string is reset to start fresh for the next rotation.

Revealing a New IOC

When you run this function with the encoded string "epyyejdufixk.dsza", it will print all possible rotations, showing how the encoded text would look with each Caesar cipher shift. If successful, one of these outputs will match the original plaintext.

When the script is run, it provides an output of each possible rotation of letters from no change, to 25 shifts:

The output of the script reveals a valid TLD at ROT15: 'tenntysjuxmz[.]shop.' This discovery is significant as it uncovers a new IOC, potentially linked to ongoing malicious campaigns.

Pivot from tenntysjuxmz[.]shop

Our HYAS Insight threat intelligence solution identified a large number of Lumma stealer malware samples associated with this domain (771). It is protected by Cloudflare and is using their nameservers. The domain was registered with dynadot.com. What’s interesting is that this domain appears with other domains in malware, which HYAS Insight had some registration details on. We can pivot off the domain registrants we found to get a list of what domains have been registered.

Domain Registration Emails Identified

yugipur-uje60@inbox[.]eu
nupimi-radi88@inbox[.]eu

There are several interesting patterns to identify in the domains and email addresses. The email addresses both use inbox[.]eu, and contain a seemingly random pattern, followed by a hyphen, then a few more characters and two numbers. The domains have a similar pattern of a word, which then proceeds into more random letters.

It’s also hard to ignore the rapid succession with which these domains were created. Together this suggests a level of automation in the generation of names and email addresses, likely through a domain generation algorithm. Along with sharing the same ROT15 technique, the consistent patterns in domain registrations and email addresses strongly suggest they are controlled by the same actor, likely of Russian origin. Further investigation and monitoring of these IOCs are recommended to mitigate potential threats.

IOC List

Domain

Email

Registrar

City

Created

flockkydwos.shop

yugipur-uje60@inbox[.]eu

pdr ltd. d/b/a publicdomainregistry.com

moscow,

2024-06-27T17:16:06Z

flockkydwos.shop

yugipur-uje60@inbox[.]eu

pdr ltd. d/b/a publicdomainregistry.com

moscow

2024-06-27T17:16:06Z

pedestriankodwu.xyz

yugipur-uje60@inbox[.]eu

pdr ltd. d/b/a publicdomainregistry.com

moscow

2024-06-27T17:16:02Z

arritswpoewroso.shop

yugipur-uje60@inbox[.]eu

pdr ltd. d/b/a publicdomainregistry.com

moscow

2024-06-27T17:16:06Z

penetratedpoopp.xyz

yugipur-uje60@inbox[.]eu

pdr ltd. d/b/a publicdomainregistry.com

moscow

2024-06-27T17:16:02Z

closedjuruwk.shop

yugipur-uje60@inbox[.]eu

pdr ltd. d/b/a publicdomainregistry.com

moscow

2024-06-27T16:58:45Z

groundsmooors.shop

yugipur-uje60@inbox[.]eu

pdr ltd. d/b/a publicdomainregistry.com

moscow

2024-06-27T16:58:54Z

insticntclodwop.shop

yugipur-uje60@inbox[.]eu

pdr ltd. d/b/a publicdomainregistry.com

moscow

2024-06-27T16:58:45Z

atonishingjwu.shop

yugipur-uje60@inbox[.]eu

pdr ltd. d/b/a publicdomainregistry.com

moscow

2024-06-27T16:58:51Z

bishopinnv.shop

yugipur-uje60@inbox[.]eu

pdr ltd. d/b/a publicdomainregistry.com

moscow

2024-06-27T16:58:51Z

toppledhaemw.shop

yugipur-uje60@inbox[.]eu

pdr ltd. d/b/a publicdomainregistry.com

moscow

2024-06-27T17:16:06Z

rocketpotsww.shop

yugipur-uje60@inbox[.]eu

pdr ltd. d/b/a publicdomainregistry.com

moscow

2024-06-27T16:58:45Z

potterryisiw.shop

yugipur-uje60@inbox[.]eu

pdr ltd. d/b/a publicdomainregistry.com

moscow

2024-06-27T16:59:01Z

ellaboratepwsz.xyz

yugipur-uje60@inbox[.]eu

pdr ltd. d/b/a publicdomainregistry.com

moscow

2024-06-27T17:16:02Z

swellfrrgwwos.xyz

yugipur-uje60@inbox[.]eu

pdr ltd. d/b/a publicdomainregistry.com

moscow

2024-06-27T17:16:02Z

timetablepdodwp.shop

yugipur-uje60@inbox[.]eu

pdr ltd. d/b/a publicdomainregistry.com

moscow

2024-06-27T16:58:55Z

innovationows.shop

yugipur-uje60@inbox[.]eu

pdr ltd. d/b/a publicdomainregistry.com

moscow

2024-06-27T17:16:06Z

foodypannyjsud.shop

yugipur-uje60@inbox[.]eu

pdr ltd. d/b/a publicdomainregistry.com

moscow

2024-06-27T16:58:48Z

towerxxuytwi.xyz

yugipur-uje60@inbox[.]eu

pdr ltd. d/b/a publicdomainregistry.com

moscow

2024-06-27T17:16:02Z

palacecirwoos.shop

yugipur-uje60@inbox[.]eu

pdr ltd. d/b/a publicdomainregistry.com

moscow

2024-06-27T16:59:00Z

contintnetksows.shop

yugipur-uje60@inbox[.]eu

pdr ltd. d/b/a publicdomainregistry.com

moscow

2024-06-27T16:59:04Z

 

watchpotentioalbkewo.shop

nupimi-radi88@inbox[.]eu

pdr ltd. d/b/a publicdomainregistry.com

moscow

2024-06-27T11:52:41Z

seeatatignowartws.shop

nupimi-radi88@inbox[.]eu

pdr ltd. d/b/a publicdomainregistry.com

moscow

2024-06-27T11:52:41Z

extorteauhhwigw.shop

nupimi-radi88@inbox[.]eu

pdr ltd. d/b/a publicdomainregistry.com

moscow

2024-06-27T11:51:05Z

extorteauhhwigw.shop

nupimi-radi88@inbox[.]eu

pdr ltd. d/b/a publicdomainregistry.com

moscow

2024-06-27T11:51:05Z

bindstrawwypenumatiws.shop

nupimi-radi88@inbox[.]eu

pdr ltd. d/b/a publicdomainregistry.com

moscow

2024-06-27T11:54:42Z

bedroomgrassydwus.shop

nupimi-radi88@inbox[.]eu

pdr ltd. d/b/a publicdomainregistry.com

moscow

2024-06-27T11:52:41Z

assignmentygassdyw.shop

nupimi-radi88@inbox[.]eu

pdr ltd. d/b/a publicdomainregistry.com

moscow

2024-06-27T11:54:45Z

bitchsafettyudjwu.shop

nupimi-radi88@inbox[.]eu

pdr ltd. d/b/a publicdomainregistry.com

moscow

2024-06-27T11:51:03Z

broccolydecidesrbeb.shop

nupimi-radi88@inbox[.]eu

pdr ltd. d/b/a publicdomainregistry.com

moscow

2024-06-27T11:50:59Z

eaglecheastdiesow.shop

nupimi-radi88@inbox[.]eu

pdr ltd. d/b/a publicdomainregistry.com

moscow

2024-06-27T11:52:40Z

dueamuggyshkowsv.shop

nupimi-radi88@inbox[.]eu

pdr ltd. d/b/a publicdomainregistry.com

moscow

2024-06-27T11:54:42Z

piedsiggnycliquieaw.shop

nupimi-radi88@inbox[.]eu

pdr ltd. d/b/a publicdomainregistry.com

moscow

2024-06-27T11:51:15Z

exporttearryliveedko.shop

nupimi-radi88@inbox[.]eu

pdr ltd. d/b/a publicdomainregistry.com

moscow

2024-06-27T11:52:43Z

citizencenturygoodwk.shop

nupimi-radi88@inbox[.]eu

pdr ltd. d/b/a publicdomainregistry.com

moscow

2024-06-27T11:51:16Z

circulatebilebrattwko.shop

nupimi-radi88@inbox[.]eu

pdr ltd. d/b/a publicdomainregistry.com

moscow

2024-06-27T11:51:08Z

invisibledovereats.shop

nupimi-radi88@inbox[.]eu

pdr ltd. d/b/a publicdomainregistry.com

moscow

2024-06-27T11:52:41Z

 

Disclaimer: This Threat Intelligence Report is provided “as is” and for informational purposes only. HYAS disclaims all warranties, express or implied, regarding the report’s completeness, accuracy, or reliability. You are solely responsible for exercising your own due diligence when accessing and using this Report's information. The analyses expressed in this Report reflect our current understanding of available information based on our independent research using the HYAS Insight platform. The Report’s inclusion of any companies, organizations, or ASNs does not imply any wrongdoing on their part; it is simply an indication of where digital threat activities have been observed. HYAS reserves the right to update the Report as additional information is made known to us.

Learn More About HYAS Insight

An efficient and expedient investigation is the best way to protect your enterprise. HYAS Insight threat intelligence provides threat and fraud response teams with unparalleled visibility into everything you need to know about the attack.This includes the origin, current infrastructure being used and any infrastructure.

Read how the HYAS Threat Intelligence team uncovered and mitigated a Russian-based cyber attack targeting financial organizations worldwide.

Want more threat intel on a weekly basis?
Follow HYAS on LinkedIn
Follow HYAS on X

Sign up for the (free!) HYAS Insight Intel Feed

Read Recent HYAS Threat Reports:

The Prevalence of DarkComet In Dynamic DNS
Caught in the Act: StealC, the Cyber Thief in C
HYAS Protects Against Polyfill.io Supply Chain Attack with DNS Safeguards
StealC & Vidar Malware Campaign Identified

More from HYAS Labs

Polymorphic Malware Is No Longer Theoretical: BlackMamba PoC.
Polymporphic, Intelligent and Fully Autonomous Malware: EyeSpy PoC.