In our analysis of threat infrastructure spanning the global attack surface, we see bulletproof hosting providers continue to play an integral role in threat campaigns and provide essential services for cybercriminals. Flowspec, a bulletproof hosting provider that has been around since October 2018, is a one-stop-shop for threat groups, facilitating phishing campaigns, malware delivery, Magecart skimmers, and large swaths of other malicious infrastructure.
The service's IP space enables phishing campaigns that have targeted various banks and domain names spoofing the Steam Community, Counter-Strike: Global Offensive, and Amazon. Flowspec also facilitates the theft of payment data by hosting several Magecart domains. Researchers have associated many different malware files with Flowspec IP space, including banking trojans, ransomware, various backdoors, and more.
- Bulletproof servers
- Bulletproof VPS
- WAF / Bulletproof proxy
- Protected RDP
- Generation of .onion domains
- Setting up a jabber server
- Secure VPN
- Cloud backup
While they have often publicly advertised bulletproof hosting services, In August 2021, RiskIQ noticed a change in Flowspec's website, observing that it moved to the Tor network. The Flowspec website contained content advertising their various services only two weeks before we analyzed them in our August 11 Threat Intelligence Portal article Magecart Group 8 Real Estate: Hosting Patterns Associated with the Skimming Group.
Flowspec and Domain Spoofing - Financial Services in the Crosshairs
Many of the domains that have resolved to Flowspec IP addresses have spoofed known banks, online gaming platforms, and video games. These spoofed domains are most likely involved with phishing campaigns crafted to access accounts or goods available on the target platform.
One notable example was the many variations of domains mimicking Steam Community websites that likely target Steam users. Sixty-four domains containing "steam" resolved to a Flowspec IP address. Suspicious activity with some of these domains occurred as early as August 2017, before the existence of Flowspec IP space. You can see the latest domains, which may still be involved in Steam phishing campaigns, in our Threat Intelligence Portal, although most are pointing to parked pages.
Many suspicious domains resolving to Flowspec IP space also included generic banking terms, including specific bank names. For example, Bank Austria had an extensive phishing campaign from October to December 2019 and May 2020. RiskIQ researchers observed similar DGA domain patterns with banks such as Easybank, Deutsche Kreditbank, and other keywords associated with banking such as "ebanking" and "service card" on .icu, .info, and .xyz TLDs.
Most of these domains resolved to a Flowspec IP address for less than a day and sometimes for just a few seconds to a few minutes. You can find the complete list of these domains generated using a domain generation algorithm (DGA) in RiskIQ’s Threat Intelligence Portal (TIP).
Flowspec and Magecart - At Least 19 Domains
In mid-August 2021, RiskIQ published a report on Magecart Group 8's use of Flowspec infrastructure. Since April 2019, RiskIQ has detected at least 19 domains associated with Magecart, which you can see in the TIP.
Flowspec Transcends the Ransomware World
Domains resolving to Flowspec IP addresses were associated with seven ransomware files, including Ryuk, Genasom, Ergop, Ymacco, Sodinokibi, Gandcrab, and Crysis. Many of these domains are already expired or no longer active. You can see the list of these domains and their associated ransomware in the Threat Intelligence Portal. Note that some have been associated with more than one type of ransomware.
In May 2020, the domain blognews-journal[.]com was also reported on by Sentinel One as a C2 for Sarwent backdoor file. One of the other domains associated with this sample resolved to the same Flowspec IP address.
Flowspec and Other Malicious Infrastructure
Several domains that have resolved to Flowspec IP address have hosted many malicious files over time. One domain has hosted close to 800 files detected as malicious by VirusTotal. Most of these samples were info stealers and some remote access files.
Two other domains, each associated with nearly 400 unique hashes, were, as mentioned above, both associated with different types of ransomware. Other malware files include Azorult, Tiggre, Azden, Glupteba, CeeInject, CryptInject, Neshta, and Ramnit.
Recent activity occurring since June 2021 (based on the date that RiskIQ observed the hash) included Azorult and Glupteba samples on three different domains, which you can access in the TIP
Understanding Your Adversaries Means Understanding What Enables Them
Flowspec is yet another bulletproof provider, the likes of which have become a bedrock of the criminal underworld. Phishing campaigns using Flowspec target financial sector customers and many other themes, and the provider has been implicated in a variety of ransomware campaigns.
Flowspec proudly promoted itself on the open web, but it has more recently moved its public-facing website to the Tor Network. Its current IP allocation of 188.8.131.52/24 should be considered suspicious, if not outright malicious.
The ability to map threat-infrastructure connections to these nefarious services has become a fundamental tenet of threat intelligence and crucial to understanding the threats facing your organization. Find out more about Threat Intelligence fortified with infrastructure analysis, and visit the TIP to explore our full analysis of Flowspec, including all IOCs referenced in this article.