Threat Intelligence Report
Date: August 12, 2024
Prepared by: David Brunsdon, Threat Intelligence - Security Engineer, HYAS
Recently, the HYAS Threat Intelligence team has noticed an increase in malware communicating with subdomains under the ply.gg domain. The domain is a part of Playit.gg’s infrastructure, which is a service for computer gamers used to facilitate online play. Although intended for games like Minecraft, it provides a free domain name and a reverse proxy, which is a tool a threat actor can use to hide their malicious infrastructure.
This article demonstrates how threat actors will use legitimate services to disguise their traffic and hide their true location from investigators. It also draws attention to the ply.gg domain as a potential threat vector for malware-based attacks on organizations and individuals.
A reverse proxy is a server that sits between client devices and a server, intercepting requests from clients and forwarding them to the intended server. It functions as an intermediary that enhances the performance, security, and reliability of services.
While reverse proxies serve many legitimate purposes, they can also be exploited by threat actors to conceal malicious activities. Cybercriminals use reverse proxies to:
By leveraging services like Playit.gg, threat actors can blend their traffic with legitimate gaming traffic, complicating efforts to detect and block malicious communications. Recognizing and understanding the use of reverse proxies is crucial for enhancing cybersecurity measures and thwarting such threats.
Threat actors could exploit the Playit.gg service to hide their malicious infrastructure and facilitate Command and Control (C2) operations. Here's a step-by-step breakdown of how this can be achieved:
1. Account Creation and Verification:
By leveraging Playit.gg, threat actors can seamlessly integrate their C2 infrastructure within legitimate gaming traffic. This not only obfuscates their activities but also complicates detection efforts by cybersecurity professionals, as the traffic appears to come from a well-known and trusted service.
(Image: Warning during configuration of playit.gg service)
Playit.gg clearly recognizes the potential for misuse on the platform and expressly forbids it from being used in such a way.
1. Restrict Access to the ply.gg Domain:
Organizations should consider blocking access to the ply.gg domain at the network level. This can be achieved through protective DNS solutions, or firewall rules to prevent potential malware communications from reaching their command-and-control (C2) servers.
2. Monitor Network Traffic for Anomalies:
Regularly monitor network traffic for any unusual or unauthorized connections to the ply.gg domain. Implementing advanced threat detection systems can help identify and alert on suspicious traffic patterns associated with C2 communication.
3. Implement Threat Intelligence Feeds:
Incorporate threat intelligence feeds that include indicators of compromise (IoCs) related to ply.gg and other similar domains. This can help in detecting and blocking known malicious activities associated with these services.
4. Educate Employees on Potential Threats:
Raise awareness among employees about the risks of accessing unauthorized or suspicious domains, including those related to gaming services like Playit.gg. Training should focus on recognizing phishing attempts and avoiding the installation of unauthorized software.
5. Enhance Endpoint Security:
Ensure that endpoint protection solutions are up-to-date and capable of detecting and blocking malware that may attempt to use ply.gg for C2 communication. Advanced endpoint detection and response (EDR) solutions can provide additional layers of protection.
6. Engage in Regular Security Audits:
Conduct regular security audits and vulnerability assessments to identify any weaknesses in your network that could be exploited by threat actors using reverse proxies like those provided by Playit.gg.
7. Collaborate with Threat Intelligence Providers:
Work closely with threat intelligence providers like HYAS, to stay informed about emerging threats and to receive timely updates on domains and services being exploited by cybercriminals.
By implementing these measures, organizations can significantly reduce the risk of malware using the ply.gg domain as a vector for attacks, thereby enhancing their overall cybersecurity posture.
Domain: ads-jeremy.gl.at.ply[.]gg
MD5: 36a75d896d48d43a54a8792fd92f3912
Family: asyncrat
Domain: paris-itself.gl.at.ply[.]gg
MD5: 9b2b8770c462d91bcf4d915cbea54202
Family: asyncrat
Domain: tax-sri.gl.at.ply[.]gg
MD5: b0198f2d25536cb8efb928857f696c1b
Family: nanocore
Domain: dead-he.gl.at.ply[.]gg
MD5:ad0314c9588f196a9a752b6732cf9612
Family: xworm
Domain: western-requires.gl.at.ply[.]gg
MD5:553326c1417f4220586311bae847d37b
Family: xworm
Domain: to-reconstruction.gl.at.ply[.]gg
MD5: ca312e982c9e4e5664ef45e8cb2be9cf
Family: xworm
Disclaimer: This Threat Intelligence Report is provided “as is” and for informational purposes only. HYAS disclaims all warranties, express or implied, regarding the report’s completeness, accuracy, or reliability. You are solely responsible for exercising your own due diligence when accessing and using this Report's information. The analyses expressed in this Report reflect our current understanding of available information based on our independent research using the HYAS Insight platform. The Report’s inclusion of any companies, organizations, or ASNs does not imply any wrongdoing on their part; it is simply an indication of where digital threat activities have been observed. HYAS reserves the right to update the Report as additional information is made known to us.
An efficient and expedient investigation is the best way to protect your enterprise. HYAS Insight provides threat and fraud response teams with unparalleled visibility into everything you need to know about the attack.This includes the origin, current infrastructure being used and any infrastructure.
Read how the HYAS Threat Intelligence team uncovered and mitigated a Russian-based cyber attack targeting financial organizations worldwide.
Want more threat intel on a weekly basis?
Follow HYAS on LinkedIn
Follow HYAS on X
Sign up for the (free!) HYAS Insight Intel Feed
The Prevalence of DarkComet In Dynamic DNS
Caught in the Act: StealC, the Cyber Thief in C
HYAS Protects Against Polyfill.io Supply Chain Attack with DNS Safeguards
StealC & Vidar Malware Campaign Identified
Polymorphic Malware Is No Longer Theoretical: BlackMamba PoC.
Polymporphic, Intelligent and Fully Autonomous Malware: EyeSpy PoC.