In our article "Bulletproof Hosting Services: Investigating Media Land LLC," we examined Media Land LLC, the organization ran by cyberthreat mogul Alexander Volosovik. We delved into its hosting infrastructure and activities, including domain registration services that facilitate and enable various malicious campaigns.
We've done further infrastructure analysis to connected our previous research on Media land activities, including our articles on the Grelos Skimmer, the Inter Skimmer, and Bulletproof hosting, to Volosovik's domain registration and fast-flux services. Fast flux is a DNS technique used to mask botnets by quickly shifting among a network of compromised hosts, which act as proxies to enable criminals to evade detection.
Here, we'll analyze Volosovik's fast-flux offering patterns as seen in RiskIQ data, using several indicators to identify additional aliases, accounts, and domains connected to Volosovik. As we surface these digital relationships, we'll be able to connect previous research from RiskIQ and other security companies to Volosovik's services, showing their prevalence across the global threat landscape.
Alibaba and the 40 (and More) Digital Thieves
Our last article connected Volosovik and Media Land to email addresses and organizations used to register thousands of malicious domains. A common thread between these domains, covered in blog posts by RiskiQ and our colleagues at Malwarebytes, Sucuri, and others is Alibaba hosting services.
For instance, just one Alibaba IP links to several domains related to Magecart that appeared in July 2020. Many of these magecart domains were registered using one of three email addresses. While one of these is known to belong to Volosovik and Media Land, the other two appear to be related through hosting patterns in their domain registrations. These latter two appeared in our analysis of Inter Skimmer Kit.
Examining just three domains registered by each of its respective email addresses connects 32 total Alibaba and 45 Sectel IPs. Many other domains tied to these emails displayed the same hosting pattern, switching between Alibaba or Selectel IPs every few days. Often, the domains switched to the same IPs simultaneously regardless of which email address was used to register them.
These domains all display another tactic favored by Volosovik, using DNSPod as their DNS provider. In a 2019 post, Volosovik (under his pseudonym yalishanda) confirmed that his service uses "verified DNSPod accounts" to edit DNS records.
1,001 Hosts (Pointing to Fast Flux)
As discussed in our blog posts on the MobileInter skimmer and the Bit2check carding actors, we observed hosting activity for malicious domains switching back and forth between Alibaba and Google IP space. These patterns lead us to conclude that a service was provisioning Alibaba and Google IP space for bad actors.
In another article covering the intersection of Media Land hosting and Magecart, we pointed to a registration email possibly connected to Media Land due to overlapping hosting patterns and similarly prolific malicious registrations. To date, the email has registered 1,001 hosts.
A direct connection between Media Land and digital card skimming was created in August 2020. This same email address behind the 1,001 hosts registered a domain that initially appeared on a Media Land IP before switching to Alibaba hosting. Other domains registered by this email also demonstrated these tell-tale TTPs.
The above email address also registered two Magecart domains, which also switched between numerous Alibaba and Google IPs and used DNSPod DNS services through June of 2021. Since June, both these domains have been hosted on DigitalOcean IP space. In March 2021, Intel471 stated that Volosovik offered a fast-flux service that was "buried in the noise of top-tier cloud service providers — like Alibaba, Google Cloud, and Selectel, among others…."
Identify Patterns, Link Infrastructure, Uncover Threat Actors
Tracking and uncovering threat infrastructure are critical in protecting your organization as threat actors switch and rotate the infrastructure they use to conduct attacks. Cutting through the noise with RiskIQ data allows us to see Volosovik's services supporting malicious activity and spot fast-flux techniques meant to evade detection.
Be sure to check in on RiskIQ's Threat Intelligence portal as we continue to track the malicious infrastructure ecosystem and publish the intelligence that can help you defend your organization. For the full report and complete analysis, including IOCs, visit the intelligence card here.