Threat Intelligence Report

Date: August 19, 2024

Prepared by: David Brunsdon, Threat Intelligence – Security Engineer, HYAS

This year, the HYAS Threat Intelligence team has been tracking the use of the Steam gaming platform by threat actors to host command and control (C2) domain addresses, leveraging Steam user accounts to facilitate malicious activity. By inputting an IP or domain name into the Steam user account, the malware can fetch that particular user’s details and receive a destination for C2, or exfiltration.

We came across a threat actor that went further to hide their C2 domains by using a simple form of encryption known as a “Substitution Cipher.” This blog post will detail how the cipher works, the IOCs we’ve identified, and email addresses used for domain registration by the actor.

What Is a Substitution Cipher?

A substitution cipher is one of the oldest and simplest methods of encryption. It involves substituting each letter in the plaintext (the original message) with another letter, number, or symbol according to a fixed system. The result is a ciphertext, which appears as a scrambled or encoded version of the original message. The key to deciphering the message is understanding the specific substitution rule that was applied.

(Image: Caesar Cipher Wheel, source: wikipedia.org)

Timeless Tactics: The Efficiency of Simplicity

In a simple substitution cipher, each letter of the plaintext is replaced by another letter. A common example is the Caesar cipher, named after Julius Caesar, who reportedly used this method to communicate securely. In a Caesar cipher, each letter is shifted a fixed number of places down or up the alphabet. For example, with a shift of 3:

A becomes D
B becomes E
C becomes F
and so on…

If the plaintext is “HELLO,” a Caesar cipher with a shift of 3 would encode it as “KHOOR”. This technique would also be referred to as ROT3, indicating a rotation of three letters.

Examination of the String

When we examine the string ‘epyyejdufixk.dsza,’ we noticed several important characteristics:

1. It’s all lower-case English alphabet.

2. Hex is a popular method of encoding data, but hex is restricted to 0-9, A-F. It’s definitely not hex.

3. Base64 uses a fairly even mix of lowercase, uppercase, and numeric values, the latter two being non-existent in our string. It’s probably not base64.

4. From previous experience, we already suspected a domain or IP could be used here. With the location of the ‘.’, this could be a domain name that has a four character top-level domain (TLD).

If this is a simple substitution cipher, then we only need to determine that cipher from 26 possibilities. There are websites like CyberChef that can perform tasks like this, but why would we use them, when we can write python?

Explanation of the Code

1. Looping through rotations (rot in range(26)):
The code tests all possible Caesar cipher rotations from 0 to 25. Each rotation represents a possible shift of the alphabet.

2. Checking if the character is alphabetic (char.isalpha()):
The function checks if the character is a letter. If it is, it applies the rotation. If it’s not a letter (like a period .), it leaves the character unchanged.

3. Calculating the new character:
The calculation (ord(char) – base + rot) % 26 + base shifts the character by rot positions in the alphabet. The modulo operation % 26 ensures that the shifting wraps around the alphabet (e.g., shifting z by 1 would become a).

4. Resetting the output string:
After printing the result of each rotation, the output string is reset to start fresh for the next rotation.

Revealing a New IOC

When you run this function with the encoded string “epyyejdufixk.dsza”, it will print all possible rotations, showing how the encoded text would look with each Caesar cipher shift. If successful, one of these outputs will match the original plaintext.

When the script is run, it provides an output of each possible rotation of letters from no change, to 25 shifts:

The output of the script reveals a valid TLD at ROT15: ‘tenntysjuxmz[.]shop.’ This discovery is significant as it uncovers a new IOC, potentially linked to ongoing malicious campaigns.

Pivot from tenntysjuxmz[.]shop

Our HYAS Insight threat intelligence solution identified a large number of Lumma stealer malware samples associated with this domain (771). It is protected by Cloudflare and is using their nameservers. The domain was registered with dynadot.com. What’s interesting is that this domain appears with other domains in malware, which HYAS Insight had some registration details on. We can pivot off the domain registrants we found to get a list of what domains have been registered.

Domain Registration Emails Identified

yugipur-uje60@inbox[.]eu
nupimi-radi88@inbox[.]eu

There are several interesting patterns to identify in the domains and email addresses. The email addresses both use inbox[.]eu, and contain a seemingly random pattern, followed by a hyphen, then a few more characters and two numbers. The domains have a similar pattern of a word, which then proceeds into more random letters.

It’s also hard to ignore the rapid succession with which these domains were created. Together this suggests a level of automation in the generation of names and email addresses, likely through a domain generation algorithm. Along with sharing the same ROT15 technique, the consistent patterns in domain registrations and email addresses strongly suggest they are controlled by the same actor, likely of Russian origin. Further investigation and monitoring of these IOCs are recommended to mitigate potential threats.

IOC List

Disclaimer: This Threat Intelligence Report is provided “as is” and for informational purposes only. HYAS disclaims all warranties, express or implied, regarding the report’s completeness, accuracy, or reliability. You are solely responsible for exercising your own due diligence when accessing and using this Report’s information. The analyses expressed in this Report reflect our current understanding of available information based on our independent research using the HYAS Insight platform. The Report’s inclusion of any companies, organizations, or ASNs does not imply any wrongdoing on their part; it is simply an indication of where digital threat activities have been observed. HYAS reserves the right to update the Report as additional information is made known to us.

Learn More About HYAS Insight

An efficient and expedient investigation is the best way to protect your enterprise. HYAS Insight threat intelligence provides threat and fraud response teams with unparalleled visibility into everything you need to know about the attack.This includes the origin, current infrastructure being used and any infrastructure.

Read how the HYAS Threat Intelligence team uncovered and mitigated a Russian-based cyber attack targeting financial organizations worldwide.

Want more threat intel on a weekly basis?
Follow HYAS on LinkedIn
Follow HYAS on X

Sign up for the (free!) HYAS Insight Intel Feed

Read Recent HYAS Threat Reports:

The Prevalence of DarkComet In Dynamic DNS
Caught in the Act: StealC, the Cyber Thief in C
HYAS Protects Against Polyfill.io Supply Chain Attack with DNS Safeguards
StealC & Vidar Malware Campaign Identified

More from HYAS Labs

Polymorphic Malware Is No Longer Theoretical: BlackMamba PoC.
Polymporphic, Intelligent and Fully Autonomous Malware: EyeSpy PoC.

*** This is a Security Bloggers Network syndicated blog from HYAS Blog - 2024 authored by David Brunsdon. Read the original post at: https://www.hyas.com/blog/echoes-of-rome-leveraging-ancient-tactics-for-modern-malware