image of breaking badness
Breaking Badness
Breaking Badness

132. Here, kiTTY kiTTY

Coming up this week on Breaking Badness. Today we discuss: I’ve Got Steam Heat, PuTTY in My Hands, and Two Truths and a Lie.

Here are a few highlights from each article we discussed:

I’ve Got Steam Heat

  • Hackers are launching new attacks to steal Steam credentials using a Browser-in-the-Browser phishing technique that is rising in popularity among threat actors.
  • So what is the “browser-in-the-browser” technique? 
    • The modern browser is quite a marvel in what it can render and how convincing the fake stuff can look
    • What the phishers are doing here is creating a fake browser window within the active window, which makes it look like a sign-in pop-up page for a login service that the victim is intended to execute
    • With a phishing kit studied by a security researcher going by “mr.Dox,” a malicious actor can create fake login forms for any service—Steam, Microsoft, Google, AltaVista, MySpace, Dogpile, what have you
    • What we’re looking at here is specifically targeting high-value Steam users, whose accounts can be way more valuable than this podcaster ever realized—six figures in some cases
    • But what’s interesting here is that there are two URLs involved here—one legit, and one not legit
      • The first is the not-legit one
      • The sequence of events is that the phisher sends a DM to the would-be victim on Steam; that DM lures them to a phishing site on a malicious domain
      • Once they are there, they are given the browser-in-the-browser login page, and this one goes to the legit site—in this case,
      • But since that fake window is hosted by the malicious actor on their infrastructure, the victim’s credentials are harvested, so it doesn’t matter that they’re logging into legit Steam—the fix is in
  • These attackers are setting their sights on professional gamers, but can this leapfrog to companies who sponsor them? 
    • It certainly is possible; it is an effective technique, so pretty much any account or service where valuable credentials are supplied could be the subject of one of these attacks
    • If you want to know where to look next for a threat within a given domain (not Internet domain), follow the money (or the value, i.e. intellectual property, etc)
  • Group-IB’s research on this malicious group
    • They found the phishing kit used in this case is not widely distributed on the dark web
    • Instead, the actors behind this campaign are recruiting in forums (some on the dark web, some via private Telegram of Discord groups)
    • They appear to do some degree of targeting and vetting of the “workers” they are hiring; these workers get the phishing kit and then receive a cut of the ill-gotten gains from the scheme
  • The links the hackers share with victims go to a site that poses as a company sponsoring and hosting e-sports competitions – so what did we find when we took a look under the Iris Investigate hood? 
    • The domain was imitating a legit e-sports competition site called
      • In this case, the phony URL went to challengermode[.]supply – this is the victim’s first opportunity to spot the scam
      • We looked at challengermode[.]supply in DomainTools Iris Investigate, and found a couple of interesting things
        • The first was that the IP address where that site was hosted contained over 300 other domains, and a lot of them looked sketchy
        • A lot, including challengermode[.]supply, have been taken offline, but looking at the domain names you can tell that they’re looking for login credentials for various platforms
        • There were a few others related to challengermode, and some others related to gaming but using other lures, like inviteroblox[.]team or direct-sony[.]com
        • But where it got really interesting was when we asked Iris to give us all domains that contained the string “challengermode.”
        • There, we got a lot of sites with very high risk scores—a lot had already been put on blocklists and others were predicted to be bad
        • And from these, we could pivot on IP addresses and registrant email information to find even more infrastructure related to either this campaign or others that are trying to use gaming sites as the lures
        • To give you an idea, there were 403 domains that had challengermode within them, and the average risk score for these was 81—that’s really high!
        • And about 75% of those have been created in calendar year 2022, so this is a relatively recent campaign. The average risk of the 2022 cohort is 90
      • We think it’s likely that this campaign originates in a Russian-language location, based on the registrant names in these domain records and based on some of the recruitment messages (one of which states that the original author isn’t a native Russian speaker…but who knows, that may be just an attempt to direct attention away from Russia or its satellites)
      • We did not go all the way down this rabbit hole to find the full extent of the campaign, but it’s certainly several hundred domains
  • What do we know so far about the victimology given that this campaign is going after some big names in the gamer community?
    • Steam accounts are valuable. But we really don’t have a count of victims, whether the high-value ones or the more rank and file players
  • How can we spot a browser-in-the-browser attack?
    • To us, the biggest tell here is that super sketchy domain name—challengermode[.]supply
      • But there is another major way that you can tell if the browser-in-the-browser login page is legit: you can try to resize the window
      • The fake window can be closed or minimized/maximized, but it can’t be resized and it can’t be dragged outside the main browser window (which is to the phony domain)
      • So if you receive an invitation to log in to a service from someone you don’t know, and you get a login prompt in the middle of the page, try those tests—but also pay really close attention to the primary window that has the login in the middle of it
    • Stepping back a bit, two of the major things that we tell folks to do to spot phishing lures are represented here: watching for offers that seem too good to be true, and noting the domain names involved in the lures
    • Now as for whether these offers really looked too good to be true is actually more for competitive gamers to answer than for us
    • But we have seen that the new generic top level domains, like .supply, .club, .top, etc, tend to attract a lot of sketchiness
    • So while this story was about gaming, the takeaway for all of us is that being offered a login prompt after receiving some kind of message is a sequence of events that should raise your healthy paranoia level a bit, inviting deeper scrutiny of the domains and any other artifacts that appear

PuTTY in My Hands

  • Mandiant Managed Defense identified a novel spear phish methodology employed by the threat cluster tracked as UNC4034
  • This is not the first time we’ve talked about bad actors targeting job opportunities – in Episode 129, we discussed the Lazarus group targeting Coinbase hopefuls – but that attack had more to do with infected PDFs
    • This one is a bit different and dare we say, more clever?
    • Certainly, it targets people having hopes and dreams of attaining a better job 
      • We’re sure there were pirates in the olden days tricking people to come aboard the ship for a better job, and then it turns out you’re peeling potatoes in the galley, but we digress
    • The Great Resignation is not exactly behind us, and there are still people looking to improve their position by applying for other jobs, so this is a way of targeting people by giving them false hope 
      • If you troll LinkedIn and see people who are “Open for Work” and review their preferences, you can tailor your target for someone who really wants to work at Amazon, for example, with a fake job offer
    • This one is considered spear phishing because it’s more targeted (it’s not going after 100,000 people at a time and hopefully someone bites) 
    • The bad actors here may be targeting individuals because they care about the companies they currently work for – to get access and leverage that as we’ve seen recently with some pretty prominent companies 
  • So this particular case came from WhatsApp (popular for iOS and Android) and it also has a Windows component, which is pretty important to this scenario
    • The unsuspecting victim responds and directed to download a file which will be sent over WhatsApp
    • Then they go to their computer (which is hopefully a Windows computer, because this malware targets Windows)
      • In the corporate world in America, Windows is still predominant, so the chances of getting to infect a Windows computer is pretty high 
    • They download an ISO file, which is a format used for CDs, CD ROMs, DVDs, etc. Starting with Windows 10, it’s really easy to open these files
    • The ISO file is sent, downloaded, and opened, and inside is an executable called puTTY and a readme file
      • puTTY is SSH client, which prior to Windows 10, had no native option to open up a secure shell connection – so it’s a great option 
    • The instructions then ask the victim to log into a server with a username and password in the readme file and then once you login to the server of the alleged application system, you can fill out some additional information 
      • It feels like the unboxing fad on TikTok or YouTube – so we’ve got the package, let’s open it up and see what’s inside!
  • The final payload is the AIRDRY.V2 backdoor malware, but how is it different from the first version?
    • It’s gotten modularized – the original version supported 30 commands, which can get cumbersome and tricky
    • In V.2, they produced the basic command set to about 9 commands, but one is to fetch and then load a module that has additional capabilities, so it’s much more versatile – it’s totally modular! (which would be part of that unboxing video)
    • The crazy part is, is the puTTY executable you get is no different than the original version
      • You look at the file size though, it’s much bigger because it’s got the first stage of the malware
      • To avoid detection, they also put a clever check where you have to initiate a connection to a system which the malware inside puTTY watches in real time, and only if that happens does it unpack the malicious payload
      • Once THAT happens, it spawns daveSHELL and then that pulls in the AIRDRY, so it’s like the Inception of malware
  • Attribution is always hard, but Mandiant did a good job in their write up 
    • There are some different versions of this floating around with slightly different ways that the payload gets executed (to avoid antivirus detection) 
  • So what if people are job hunting at their current position using their company-issued computer? What mitigations should be considered?
    • First, make your company so good that no one is hunting for jobs on their work computers! 
    • But seriously, don’t use your work computer to hunt for a new job
    • However, we do see people who use their personal computers and the bad actors then leverage things the victim may still be doing for work on those devices
      • Don’t accept opportunities for employment on WhatsApp, unless you have contacted a recruiter on there (which is still kind of odd) 
      • Understand that if something is too good to be true, it probably is
      • This scenario is likely the Internet version of “don’t take candy from strangers.”

Two Truths and a Lie

Introducing our newest segment on Breaking Badness. We are going to play a game you are all likely familiar with called two truths and a lie, with a fun twist. Each week, one us with come prepared with three article titles, two of which are real, and one is, you guessed it, A LIE.

You’ll have to tune in to find out!

Current Scoreboard

This Week’s Hoodie/Goodie Scale

I’ve Got Steam Heat

[Daniel]: 4/10 Hoodies
[Tim]: 3.8/10 Hoodies

PuTTY in My Hands

[Daniel]: 3/10 Hoodies
[Tim]: 3/10 Hoodies

That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!