HYAS Investigates Threat Actors Hidden In Gaming Services

Threat Intelligence Report

Date: August 12, 2024

Prepared by: David Brunsdon, Threat Intelligence – Security Engineer, HYAS

Threat Actors Exploiting Legitimate Services to Disguise Traffic

Recently, the HYAS Threat Intelligence team has noticed an increase in malware communicating with subdomains under the ply.gg domain. The domain is a part of Playit.gg’s infrastructure, which is a service for computer gamers used to facilitate online play. Although intended for games like Minecraft, it provides a free domain name and a reverse proxy, which is a tool a threat actor can use to hide their malicious infrastructure.

This article demonstrates how threat actors will use legitimate services to disguise their traffic and hide their true location from investigators. It also draws attention to the ply.gg domain as a potential threat vector for malware-based attacks on organizations and individuals.

About Reverse Proxies

A reverse proxy is a server that sits between client devices and a server, intercepting requests from clients and forwarding them to the intended server. It functions as an intermediary that enhances the performance, security, and reliability of services.

Typical Uses of Reverse Proxies

1. Load Balancing:

      Reverse proxies distribute incoming traffic across multiple servers to ensure no single server becomes overwhelmed. This improves the availability and reliability of applications, particularly those experiencing high traffic volumes.

2. Enhanced Security:

      By hiding the backend servers’ IP addresses, reverse proxies add an additional layer of security. They can also block malicious requests, protect against Distributed Denial-of-Service (DDoS) attacks, and serve as a first line of defense in a network security strategy.

3. SSL Termination: