Full Report
Legitimate services as C2
Analysis Summary
# Tool/Technique: njRAT (Bladabindi) / XWorm
## Overview
njRAT (also known as Bladabindi) and XWorm are Remote Access Trojans (RATs) observed in recent threat activity. They are used by various threat actors for espionage, financial theft, and gaining unauthorized remote access to infected systems. The context focuses on their C2 infrastructure potentially leveraging legitimate services like Playit.gg to mask malicious traffic.
## Technical Details
- Type: Malware family (Remote Access Trojan)
- Platform: Primarily Windows (implied by common RAT structure and delivery methods mentioned)
- Capabilities: Keylogging, screenshot capture, unauthorized remote access, data theft, DDoS attack launching.
- First Seen: Not specified, but recent activity highlighted since March 2024 for njRAT.
## MITRE ATT&CK Mapping
While specific techniques aren't linked to the tool execution described, common RAT functionalities map as follows:
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1105 - Ingress Tool Transfer (for downloading secondary payloads)
- **TA0009 - Collection**
- T1056.001 - Input Capture: Keylogging
- T1113 - Screen Capture
## Functionality
### Core Capabilities
- **njRAT:** Remote control, keylogging, and screenshot capture functionality for information theft.
- **XWorm:** Remote control, data theft capabilities, and the ability to launch Distributed Denial of Service (DDoS) attacks.
### Advanced Features
- **Delivery Mechanism:** Commonly delivered via phishing campaigns utilizing malicious links or multi-stage attacks involving malicious LNK files that execute PowerShell scripts to fetch additional payloads.
## Indicators of Compromise
Indicators are primarily focused on the C2 infrastructure identified in the investigation:
- File Hashes: [Not provided in the source document]
- File Names: [Not provided in the source document]
- Registry Keys: [Not provided in the source document]
- Network Indicators:
- Initial C2 URL: `subscribe-supervision.gl[.]at.ply.gg`
- Associated IP: `147.185.221[.]23`
- Other observed C2 host domains: `ravstormdev[.]top`, `cerealshub[.]online`, `amakusa[.]lat`, `furians[.]net`, `galaxy4dayz[.]com`, `onys[.]fun`, `powsync[.]com`, `ddzunlock[.]tech`, `empanabbo[.]xyz`, `galantoath[.]online`, `gaymershub[.]net`, `play-valorcraft[.]com`, `solodeus[.]xyz`, `skycams[.]top`, `retropixel[.]fun`, `remotosgsm19[.]tech`, `wfinddogs[.]com`
- Behavioral Indicators: Execution chains starting from phishing leading to PowerShell executing remote downloads.
## Associated Threat Actors
- Various threat actors known for espionage and financial theft (njRAT).
- Activity associated with APTs and cybercriminals (general conclusion regarding Playit.gg usage).
## Detection Methods
- **Signature-based detection:** Signatures for known njRAT/XWorm binaries.
- **Behavioral detection:** Monitoring for PowerShell execution initiating external downloads following email interaction, keylogging behavior, or unexpected remote shell connections.
- **YARA rules:** [Not provided in the source document]
## Mitigation Strategies
- **Prevention measures:** User training against phishing, filtering malicious email links, and strict execution policies.
- **Hardening recommendations:** Restricting PowerShell execution via AppLocker or constrained language mode. Monitoring for unusual outbound traffic connections to potentially malicious infrastructure.
## Related Tools/Techniques
The investigation highlighted that the shared infrastructure (AS400519, Playit.gg) is also associated with:
- AsyncRAT
- Razy
- Cobalt Strike
- SpyMax
- Other RATs/Malware.
The overall technique involves abusing legitimate cloud services:
- **Technique:** Abuse of Legitimate Services (C2 Hosting/Traffic Obfuscation)
- **MITRE Mapping (Inferred):** T1102 - Web Service
---
# Tool/Technique: Playit.gg (Legitimate Service Exploitation)
## Overview
Playit.gg is a legitimate tunneling service designed to allow users to host services (like game servers) without public IP addresses or port forwarding. Threat actors exploit this service to host malicious Command and Control (C2) infrastructure, hiding malicious traffic within what appears to be legitimate gaming or service tunnel traffic, leveraging the domain's reputation.
## Technical Details
- Type: Legitimate Service Exploited for Malicious Purposes
- Platform: Cross-platform (as it is an infrastructure service)
- Capabilities: Provides tunneling capabilities, redirects traffic, utilizes CDN infrastructure.
- First Seen: Date service was established is not mentioned, but its exploitation is noted in recent activity.
## MITRE ATT&CK Mapping
- **TA0011 - Command and Control**
- T1090 - Proxy
- T1102 - Web Service (Using a legitimate provider to host C2)
## Functionality
### Core Capabilities
- Facilitates port forwarding and remote accessibility for endpoints.
- Redirects post-installation execution to a claim URL (`https://playit[.]gg/claim/120b43bd72`) acting as an identifier.
### Advanced Features
- Hides C2 traffic within normal-looking service traffic.
- Leverages the legitimate domain's reputation to bypass perimeter defenses.
- Associated infrastructure (AS400519) is shared across users hosting malicious domains.
## Indicators of Compromise
Indicators are focused on the infrastructure patterns associated with the service when used maliciously:
- File Hashes: [Not provided in the source document]
- File Names: [Not provided in the source document]
- Registry Keys: [Not provided in the source document]
- Network Indicators:
- Service banner pattern: `services.banner="HTTP/1.1 302 Moved Temporarily\nServer: playit-cloud\nLocation: https://playit.gg\n"`
- Associated Autonomous System: AS400519 (and AS40519 mentioned for Playit-gg hosts)
- Subdomains using the C2 locator pattern: `*.gl.at.ply.gg` (e.g., `according-slot[.]gl.at.ply.gg`, `un-opera[.]gl.at.ply.gg`)
- Behavioral Indicators: Web servers exhibiting HTTP 302 redirects pointing specifically to `https://playit.gg` originating from hosts within AS400519/AS40519.
## Associated Threat Actors
- Various threat actors, including APTs and cybercriminals, are using this infrastructure for diverse agendas (monetary gain, espionage, influence operations).
## Detection Methods
- **Signature-based detection:** Detecting domains ending in `*.gl.at.ply.gg`.
- **Behavioral detection:** Identifying HTTP 302 responses where the `Location` header points to `playit.gg` on non-standard ports or associated IPs. Monitoring traffic to and from AS400519/AS40519 for anomalous characteristics.
- **YARA rules:** [Not provided in the source document]
## Mitigation Strategies
- **Prevention measures:** Implement strict DNS filtering to block known malicious domains identified through passive DNS pivoting associated with Playit subdomains.
- **Hardening recommendations:** Outbound traffic inspection/whitelisting, especially for non-standard ports, even if targeting high-reputation domains, if the context suggests C2 activity.
## Related Tools/Techniques
- Direct association with njRAT, XWorm, AsyncRAT, Cobalt Strike, etc., as these tools are leveraging this infrastructure.