National Cyber Warfare Foundation (NCWF) Forums


Echoes of Rome: Leveraging Ancient Tactics for Modern Malware


0 user ratings
2024-08-20 04:12:11
milo
Blue Team (CND)

 - archive -- 

Threat Intelligence Report


Date: August 19, 2024


Prepared by: David Brunsdon, Threat Intelligence - Security Engineer, HYAS


This year, the HYAS Threat Intelligence team has been tracking the use of the Steam gaming platform by threat actors to host command and control (C2) domain addresses, leveraging Steam user accounts to facilitate malicious activity. By inputting an IP or domain name into the Steam user account, the malware can fetch that particular user's details and receive a destination for C2, or exfiltration.


We came across a threat actor that went further to hide their C2 domains by using a simple form of encryption known as a “Substitution Cipher.” This blog post will detail how the cipher works, the IOCs we’ve identified, and email addresses used for domain registration by the actor.


What Is a Substitution Cipher?


A substitution cipher is one of the oldest and simplest methods of encryption. It involves substituting each letter in the plaintext (the original message) with another letter, number, or symbol according to a fixed system. The result is a ciphertext, which appears as a scrambled or encoded version of the original message. The key to deciphering the message is understanding the specific substitution rule that was applied.


(Image: Caesar Cipher Wheel, source: wikipedia.org)


Timeless Tactics: The Efficiency of Simplicity


In a simple substitution cipher, each letter of the plaintext is replaced by another letter. A common example is the Caesar cipher, named after Julius Caesar, who reportedly used this method to communicate securely. In a Caesar cipher, each letter is shifted a fixed number of places down or up the alphabet. For example, with a shift of 3:


A becomes D
B becomes E
C becomes F
and so on…


If the plaintext is "HELLO," a Caesar cipher with a shift of 3 would encode it as "KHOOR". This technique would also be referred to as ROT3, indicating a rotation of three letters.


Examination of the String


epyyejdufixk[.]dsza


When presented with a string believed to be encoded or encrypted data, it is important to closely study the characteristics of the string to attempt to identify what method was used. If the value has been encoded, then there is a real possibility that it can be undone. If it’s encrypted, one would probably need to find (or guess) the secret key.


When we examine the string ‘epyyejdufixk.dsza,’ we noticed several important characteristics:


1. It’s all lower-case English alphabet.


2. Hex is a popular method of encoding data, but hex is restricted to 0-9, A-F. It’s definitely not hex.


3. Base64 uses a fairly even mix of lowercase, uppercase, and numeric values, the latter two being non-existent in our string. It’s probably not base64.


4. From previous experience, we already suspected a domain or IP could be used here. With the location of the ‘.’, this could be a domain name that has a four character top-level domain (TLD).


If this is a simple substitution cipher, then we only need to determine that cipher from 26 possibilities. There are websites like CyberChef that can perform tasks like this, but why would we use them, when we can write python?



def decode_value(string):
output = ''
for rot in range(26):
for char in string:
if char.isalpha():
base = ord('a') if char.islower() else ord('A')
new_char = chr((ord(char) - base + rot) % 26 + base)
output += new_char
else:
new_char = char
output += new_char
print(f'-ROT{rot}: {output}')
output = ''


decode_value('epyyejdufixk.dsza')


Explanation of the Code


1. Looping through rotations (rot in range(26)):
The code tests all possible Caesar cipher rotations from 0 to 25. Each rotation represents a possible shift of the alphabet.


2. Checking if the character is alphabetic (char.isalpha()):
The function checks if the character is a letter. If it is, it applies the rotation. If it’s not a letter (like a period .), it leaves the character unchanged.


3. Calculating the new character:
The calculation (ord(char) - base + rot) % 26 + base shifts the character by rot positions in the alphabet. The modulo operation % 26 ensures that the shifting wraps around the alphabet (e.g., shifting z by 1 would become a).


4. Resetting the output string:
After printing the result of each rotation, the output string is reset to start fresh for the next rotation.


Revealing a New IOC


When you run this function with the encoded string "epyyejdufixk.dsza", it will print all possible rotations, showing how the encoded text would look with each Caesar cipher shift. If successful, one of these outputs will match the original plaintext.


When the script is run, it provides an output of each possible rotation of letters from no change, to 25 shifts:


The output of the script reveals a valid TLD at ROT15: 'tenntysjuxmz[.]shop.' This discovery is significant as it uncovers a new IOC, potentially linked to ongoing malicious campaigns.


Pivot from tenntysjuxmz[.]shop


Our HYAS Insight threat intelligence solution identified a large number of Lumma stealer malware samples associated with this domain (771). It is protected by Cloudflare and is using their nameservers. The domain was registered with dynadot.com. What’s interesting is that this domain appears with other domains in malware, which HYAS Insight had some registration details on. We can pivot off the domain registrants we found to get a list of what domains have been registered.


Domain Registration Emails Identified


yugipur-uje60@inbox[.]eu
nupimi-radi88@inbox[.]eu


There are several interesting patterns to identify in the domains and email addresses. The email addresses both use inbox[.]eu, and contain a seemingly random pattern, followed by a hyphen, then a few more characters and two numbers. The domains have a similar pattern of a word, which then proceeds into more random letters.


It’s also hard to ignore the rapid succession with which these domains were created. Together this suggests a level of automation in the generation of names and email addresses, likely through a domain generation algorithm. Along with sharing the same ROT15 technique, the consistent patterns in domain registrations and email addresses strongly suggest they are controlled by the same actor, likely of Russian origin. Further investigation and monitoring of these IOCs are recommended to mitigate potential threats.


IOC List
































































































































































Domain



Email



Registrar



City



Created



flockkydwos.shop



yugipur-uje60@inbox[.]eu



pdr ltd. d/b/a publicdomainregistry.com



moscow,



2024-06-27T17:16:06Z



flockkydwos.shop



yugipur-uje60@inbox[.]eu



pdr ltd. d/b/a publicdomainregistry.com



moscow



2024-06-27T17:16:06Z



pedestriankodwu.xyz



yugipur-uje60@inbox[.]eu



pdr ltd. d/b/a publicdomainregistry.com



moscow



2024-06-27T17:16:02Z



arritswpoewroso.shop



yugipur-uje60@inbox[.]eu



pdr ltd. d/b/a publicdomainregistry.com



moscow



2024-06-27T17:16:06Z



penetratedpoopp.xyz



yugipur-uje60@inbox[.]eu



pdr ltd. d/b/a publicdomainregistry.com



moscow



2024-06-27T17:16:02Z



closedjuruwk.shop



yugipur-uje60@inbox[.]eu



pdr ltd. d/b/a publicdomainregistry.com



moscow



2024-06-27T16:58:45Z



groundsmooors.shop



yugipur-uje60@inbox[.]eu



pdr ltd. d/b/a publicdomainregistry.com



moscow



2024-06-27T16:58:54Z



insticntclodwop.shop



yugipur-uje60@inbox[.]eu



pdr ltd. d/b/a publicdomainregistry.com



moscow



2024-06-27T16:58:45Z



atonishingjwu.shop



yugipur-uje60@inbox[.]eu



pdr ltd. d/b/a publicdomainregistry.com



moscow



2024-06-27T16:58:51Z



bishopinnv.shop



yugipur-uje60@inbox[.]eu



pdr ltd. d/b/a publicdomainregistry.com



moscow



2024-06-27T16:58:51Z



toppledhaemw.shop



yugipur-uje60@inbox[.]eu



pdr ltd. d/b/a publicdomainregistry.com



moscow



2024-06-27T17:16:06Z



rocketpotsww.shop



yugipur-uje60@inbox[.]eu



pdr ltd. d/b/a publicdomainregistry.com



moscow



2024-06-27T16:58:45Z



potterryisiw.shop



yugipur-uje60@inbox[.]eu



pdr ltd. d/b/a publicdomainregistry.com



moscow



2024-06-27T16:59:01Z



ellaboratepwsz.xyz



yugipur-uje60@inbox[.]eu



pdr ltd. d/b/a publicdomainregistry.com



moscow



2024-06-27T17:16:02Z



swellfrrgwwos.xyz



yugipur-uje60@inbox[.]eu



pdr ltd. d/b/a publicdomainregistry.com



moscow



2024-06-27T17:16:02Z



timetablepdodwp.shop



yugipur-uje60@inbox[.]eu



pdr ltd. d/b/a publicdomainregistry.com



moscow



2024-06-27T16:58:55Z



innovationows.shop



yugipur-uje60@inbox[.]eu



pdr ltd. d/b/a publicdomainregistry.com



moscow



2024-06-27T17:16:06Z



foodypannyjsud.shop



yugipur-uje60@inbox[.]eu



pdr ltd. d/b/a publicdomainregistry.com



moscow



2024-06-27T16:58:48Z



towerxxuytwi.xyz



yugipur-uje60@inbox[.]eu



pdr ltd. d/b/a publicdomainregistry.com



moscow



2024-06-27T17:16:02Z



palacecirwoos.shop



yugipur-uje60@inbox[.]eu



pdr ltd. d/b/a publicdomainregistry.com



moscow



2024-06-27T16:59:00Z



contintnetksows.shop



yugipur-uje60@inbox[.]eu



pdr ltd. d/b/a publicdomainregistry.com



moscow



2024-06-27T16:59:04Z



 






















































































































watchpotentioalbkewo.shop



nupimi-radi88@inbox[.]eu



pdr ltd. d/b/a publicdomainregistry.com



moscow



2024-06-27T11:52:41Z



seeatatignowartws.shop



nupimi-radi88@inbox[.]eu



pdr ltd. d/b/a publicdomainregistry.com



moscow



2024-06-27T11:52:41Z



extorteauhhwigw.shop



nupimi-radi88@inbox[.]eu



pdr ltd. d/b/a publicdomainregistry.com



moscow



2024-06-27T11:51:05Z



extorteauhhwigw.shop



nupimi-radi88@inbox[.]eu



pdr ltd. d/b/a publicdomainregistry.com



moscow



2024-06-27T11:51:05Z



bindstrawwypenumatiws.shop



nupimi-radi88@inbox[.]eu



pdr ltd. d/b/a publicdomainregistry.com



moscow



2024-06-27T11:54:42Z



bedroomgrassydwus.shop



nupimi-radi88@inbox[.]eu



pdr ltd. d/b/a publicdomainregistry.com



moscow



2024-06-27T11:52:41Z



assignmentygassdyw.shop



nupimi-radi88@inbox[.]eu



pdr ltd. d/b/a publicdomainregistry.com



moscow



2024-06-27T11:54:45Z



bitchsafettyudjwu.shop



nupimi-radi88@inbox[.]eu



pdr ltd. d/b/a publicdomainregistry.com



moscow



2024-06-27T11:51:03Z



broccolydecidesrbeb.shop



nupimi-radi88@inbox[.]eu



pdr ltd. d/b/a publicdomainregistry.com



moscow



2024-06-27T11:50:59Z



eaglecheastdiesow.shop



nupimi-radi88@inbox[.]eu



pdr ltd. d/b/a publicdomainregistry.com



moscow



2024-06-27T11:52:40Z



dueamuggyshkowsv.shop



nupimi-radi88@inbox[.]eu



pdr ltd. d/b/a publicdomainregistry.com



moscow



2024-06-27T11:54:42Z



piedsiggnycliquieaw.shop



nupimi-radi88@inbox[.]eu



pdr ltd. d/b/a publicdomainregistry.com



moscow



2024-06-27T11:51:15Z



exporttearryliveedko.shop



nupimi-radi88@inbox[.]eu



pdr ltd. d/b/a publicdomainregistry.com



moscow



2024-06-27T11:52:43Z



citizencenturygoodwk.shop



nupimi-radi88@inbox[.]eu



pdr ltd. d/b/a publicdomainregistry.com



moscow



2024-06-27T11:51:16Z



circulatebilebrattwko.shop



nupimi-radi88@inbox[.]eu



pdr ltd. d/b/a publicdomainregistry.com



moscow



2024-06-27T11:51:08Z



invisibledovereats.shop



nupimi-radi88@inbox[.]eu



pdr ltd. d/b/a publicdomainregistry.com



moscow



2024-06-27T11:52:41Z



 


Disclaimer: This Threat Intelligence Report is provided “as is” and for informational purposes only. HYAS disclaims all warranties, express or implied, regarding the report’s completeness, accuracy, or reliability. You are solely responsible for exercising your own due diligence when accessing and using this Report's information. The analyses expressed in this Report reflect our current understanding of available information based on our independent research using the HYAS Insight platform. The Report’s inclusion of any companies, organizations, or ASNs does not imply any wrongdoing on their part; it is simply an indication of where digital threat activities have been observed. HYAS reserves the right to update the Report as additional information is made known to us.


Learn More About HYAS Insight


An efficient and expedient investigation is the best way to protect your enterprise. HYAS Insight threat intelligence provides threat and fraud response teams with unparalleled visibility into everything you need to know about the attack.This includes the origin, current infrastructure being used and any infrastructure.


Read how the HYAS Threat Intelligence team uncovered and mitigated a Russian-based cyber attack targeting financial organizations worldwide.


Want more threat intel on a weekly basis?
Follow HYAS on LinkedIn
Follow HYAS on X


Sign up for the (free!) HYAS Insight Intel Feed


Read Recent HYAS Threat Reports:


The Prevalence of DarkComet In Dynamic DNS
Caught in the Act: StealC, the Cyber Thief in C
HYAS Protects Against Polyfill.io Supply Chain Attack with DNS Safeguards
StealC & Vidar Malware Campaign Identified


More from HYAS Labs


Polymorphic Malware Is No Longer Theoretical: BlackMamba PoC.
Polymporphic, Intelligent and Fully Autonomous Malware: EyeSpy PoC.


The post Echoes of Rome: Leveraging Ancient Tactics for Modern Malware appeared first on Security Boulevard.



David Brunsdon

Source: Security Boulevard
Source Link: https://securityboulevard.com/2024/08/echoes-of-rome-leveraging-ancient-tactics-for-modern-malware/


Comments
new comment
Nobody has commented yet. Will you be the first?
 
Forum
Blue Team (CND)



Copyright 2012 through 2024 - National Cyber Warfare Foundation - All rights reserved worldwide.