Threat Actors Hidden In Gaming Services | HYAS Investigate

Threat Intelligence Report

Date: August 12, 2024

Prepared by: David Brunsdon, Threat Intelligence - Security Engineer, HYAS

Threat Actors Exploiting Legitimate Services to Disguise Traffic

Recently, the HYAS Threat Intelligence team has noticed an increase in malware communicating with subdomains under the ply.gg domain. The domain is a part of Playit.gg’s infrastructure, which is a service for computer gamers used to facilitate online play. Although intended for games like Minecraft, it provides a free domain name and a reverse proxy, which is a tool a threat actor can use to hide their malicious infrastructure.

This article demonstrates how threat actors will use legitimate services to disguise their traffic and hide their true location from investigators. It also draws attention to the ply.gg domain as a potential threat vector for malware-based attacks on organizations and individuals.

About Reverse Proxies

A reverse proxy is a server that sits between client devices and a server, intercepting requests from clients and forwarding them to the intended server. It functions as an intermediary that enhances the performance, security, and reliability of services.

Typical Uses of Reverse Proxies

Reverse proxies distribute incoming traffic across multiple servers to ensure no single server becomes overwhelmed. This improves the availability and reliability of applications, particularly those experiencing high traffic volumes.

By hiding the backend servers' IP addresses, reverse proxies add an additional layer of security. They can also block malicious requests, protect against Distributed Denial-of-Service (DDoS) attacks, and serve as a first line of defense in a network security strategy.

Reverse proxies can manage SSL/TLS encryption and decryption, relieving backend servers from the computational load of handling these tasks. This is particularly useful for improving the performance of HTTPS websites.

By caching content, reverse proxies can reduce the load on backend servers and speed up response times for users. This is beneficial for delivering static content such as images, stylesheets, and scripts more efficiently.

Reverse proxies can inspect and filter incoming requests to ensure they meet predefined criteria. This is useful for content filtering, enforcing security policies, and preventing access to restricted areas.

They can compress outbound data to reduce the amount of bandwidth used, which can be particularly beneficial for users with slow internet connections.

Reverse Proxies in Malicious Activities

While reverse proxies serve many legitimate purposes, they can also be exploited by threat actors to conceal malicious activities. Cybercriminals use reverse proxies to:

• Hide Malicious Infrastructure: By routing traffic through a reverse proxy, attackers can mask the true location of their command-and-control (C2) servers, making it difficult for investigators to trace and shut them down.
• Bypass Security Measures: Reverse proxies can help bypass IP-based security controls, allowing attackers to evade detection and maintain persistent access to compromised systems.
• Proxy for Anonymity: Using reverse proxies helps cybercriminals maintain anonymity by preventing the exposure of their actual IP addresses during malicious campaigns.

By leveraging services like Playit.gg, threat actors can blend their traffic with legitimate gaming traffic, complicating efforts to detect and block malicious communications. Recognizing and understanding the use of reverse proxies is crucial for enhancing cybersecurity measures and thwarting such threats.

How Threat Actors Could Utilize Playit.gg

Threat actors could exploit the Playit.gg service to hide their malicious infrastructure and facilitate Command and Control (C2) operations. Here's a step-by-step breakdown of how this can be achieved:

1. Account Creation and Verification:

• The threat actor creates an account on Playit.gg by providing an email address.
• The email address is verified through a confirmation process, granting access to the service.

• An application is downloaded from Playit.gg and installed on a server controlled by the threat actor.
• The application is linked to the Playit.gg account, often requiring verification through the website.

• The C2 server is configured to ensure it can only be accessed by the operators and through the Playit.gg proxy network.
• Security measures, such as IP allowlisting and authentication, are implemented to harden the C2 server against unauthorized access.

• The port number and the assigned domain name (provided by Playit.gg) are entered into the malware's configuration. These details are embedded in the malware, which is then deployed to victim devices.

• Once the malware is active on victim devices, it initiates communication with the C2 server.
• All communications between the malware and the C2 server are routed through the Playit.gg proxy network.
• This setup masks the true location of the threat actor's server, making it challenging for defenders to trace and block the malicious infrastructure.

By leveraging Playit.gg, threat actors can seamlessly integrate their C2 infrastructure within legitimate gaming traffic. This not only obfuscates their activities but also complicates detection efforts by cybersecurity professionals, as the traffic appears to come from a well-known and trusted service.

(Image: Warning during configuration of playit.gg service)

Playit.gg clearly recognizes the potential for misuse on the platform and expressly forbids it from being used in such a way.

Recommendations

1. Restrict Access to the ply.gg Domain:
Organizations should consider blocking access to the ply.gg domain at the network level. This can be achieved through protective DNS solutions, or firewall rules to prevent potential malware communications from reaching their command-and-control (C2) servers.

2. Monitor Network Traffic for Anomalies:
Regularly monitor network traffic for any unusual or unauthorized connections to the ply.gg domain. Implementing advanced threat detection systems can help identify and alert on suspicious traffic patterns associated with C2 communication.

3. Implement Threat Intelligence Feeds:
Incorporate threat intelligence feeds that include indicators of compromise (IoCs) related to ply.gg and other similar domains. This can help in detecting and blocking known malicious activities associated with these services.

4. Educate Employees on Potential Threats:
Raise awareness among employees about the risks of accessing unauthorized or suspicious domains, including those related to gaming services like Playit.gg. Training should focus on recognizing phishing attempts and avoiding the installation of unauthorized software.

5. Enhance Endpoint Security:
Ensure that endpoint protection solutions are up-to-date and capable of detecting and blocking malware that may attempt to use ply.gg for C2 communication. Advanced endpoint detection and response (EDR) solutions can provide additional layers of protection.

6. Engage in Regular Security Audits:
Conduct regular security audits and vulnerability assessments to identify any weaknesses in your network that could be exploited by threat actors using reverse proxies like those provided by Playit.gg.

7. Collaborate with Threat Intelligence Providers:
Work closely with threat intelligence providers like HYAS, to stay informed about emerging threats and to receive timely updates on domains and services being exploited by cybercriminals.

By implementing these measures, organizations can significantly reduce the risk of malware using the ply.gg domain as a vector for attacks, thereby enhancing their overall cybersecurity posture.

Recent Example IOCs

Domain: ads-jeremy.gl.at.ply[.]gg
MD5: 36a75d896d48d43a54a8792fd92f3912
Family: asyncrat

Domain: paris-itself.gl.at.ply[.]gg
MD5: 9b2b8770c462d91bcf4d915cbea54202
Family: asyncrat

Domain: tax-sri.gl.at.ply[.]gg
MD5: b0198f2d25536cb8efb928857f696c1b
Family: nanocore

Domain: dead-he.gl.at.ply[.]gg
MD5:ad0314c9588f196a9a752b6732cf9612
Family: xworm

Domain: western-requires.gl.at.ply[.]gg
MD5:553326c1417f4220586311bae847d37b
Family: xworm

Domain: to-reconstruction.gl.at.ply[.]gg
MD5: ca312e982c9e4e5664ef45e8cb2be9cf
Family: xworm

Disclaimer: This Threat Intelligence Report is provided “as is” and for informational purposes only. HYAS disclaims all warranties, express or implied, regarding the report’s completeness, accuracy, or reliability. You are solely responsible for exercising your own due diligence when accessing and using this Report's information. The analyses expressed in this Report reflect our current understanding of available information based on our independent research using the HYAS Insight platform. The Report’s inclusion of any companies, organizations, or ASNs does not imply any wrongdoing on their part; it is simply an indication of where digital threat activities have been observed. HYAS reserves the right to update the Report as additional information is made known to us.

Learn More About HYAS Insight

An efficient and expedient investigation is the best way to protect your enterprise. HYAS Insight provides threat and fraud response teams with unparalleled visibility into everything you need to know about the attack.This includes the origin, current infrastructure being used and any infrastructure.

Read how the HYAS Threat Intelligence team uncovered and mitigated a Russian-based cyber attack targeting financial organizations worldwide.

Want more threat intel on a weekly basis?
Follow HYAS on LinkedIn
Follow HYAS on X

Sign up for the (free!) HYAS Insight Intel Feed

Read Recent HYAS Threat Reports:

The Prevalence of DarkComet In Dynamic DNS
Caught in the Act: StealC, the Cyber Thief in C
HYAS Protects Against Polyfill.io Supply Chain Attack with DNS Safeguards
StealC & Vidar Malware Campaign Identified

More from HYAS Labs

Polymorphic Malware Is No Longer Theoretical: BlackMamba PoC.
Polymporphic, Intelligent and Fully Autonomous Malware: EyeSpy PoC.