Bulletproof hosting (BPH) is a collection of service offerings catering to internet-based criminal activity. Shinjiru is another example frequently appearing in threat infrastructure. The Malaysian hosting company shields its customers and their web content and servers from takedown requests, acting as a safe harbor for questionable or illicit activity.
Shinjiru's IP space has a history of use for various malicious activities such as malware distribution, scams, phishing, and business email compromise, among others. This ICANN-accredited registrar has been allocated over 20,000 IP addresses by APNIC and maintains its own data centers in Malaysia.
We explored some examples of the malicious activity facilitated by Shinjiru and highlighted the infrastructure owned by the hosting company. We also examine connections between Shinjiru and other bulletproof hosters.
Shinjiru: An "Offshore" Hosting Provider
Shinjiru Technology Sdn Bhd is a Malaysian hosting company that is allocated 21,504 IP addresses operated under autonomous system number AS45839 and additional IP ranges it rents from other hosting providers. Bulletproof providers often work in a grey area, attempting to appear legitimate while shielding the illegal activity they host from disruption amid abuse complaints and takedown requests.
Shinjiru bills itself as an "offshore" hosting provider focused on maintaining the anonymity of their customers and protecting them and their web content and servers from being taken offline. Their website states that they "ignore the DMCA and takedown requests… As an offshore jurisdiction, Shinjiru can offer any type of anonymous hosting worldwide."
In the case of Shinjiru, "offshore" means "bulletproof." The website emphasizes the word as a signal to potential customers that they are beyond the reach of effective law enforcement or regulatory actions. It appears fourteen times on their "Bitcoin Hosting" page alone.
Shinjiru's domain registration page highlights which top-level domains (TLDs) are not under ICANN or subject to the laws of the United States. Every TLD on the page except .com promises "No DMCA Shutdown" and "No Censorship."
Shinjiru also can provide hosting services in eight "offshore" locations, including Malaysia, Bulgaria, The Netherlands (or "Holland" as they call it on their webpage), Hong Kong, Lithuania, Luxembourg, Russia, and Singapore.
The bulletproof provider's support portal reassures that they will make every effort to warn clients before disrupting their activities if they are forced to do so and even gives guidance on evading SpamHaus listings.
Shinjiru has a history of providing hosting services for malicious activity. For example, OceanLotus (APT32) used a Shinjiru website to register malicious domains. In 2018, Cisco's Andrea Kaiser released a blog identifying nameservers servicing malware command and control (C2) domains and providing Fast Flux DNS to the malicious botnets.
In 2020, Gary Warner, Director of Research in Computer Forensics at the University of Alabama at Birmingham, penned an article on his blog covering an investigation of websites selling illicit opioids and fentanyl. He and Dr. Elizabeth Gardner, head of UAB's Forensic Sciences program, found a cluster of drug-selling sites registered through and hosted by Shinjiru belonging to a company called Verdina Ltd.
Verdina Ltd. is registered in Belize but also appears to be in Bulgaria. Verdina rents several of its IP blocks to Shinjiru. Most of Verdina's other blocks are rented to other questionable hosting entities such as theOnionHost or RackSrvr LTD. We'll take a closer look at Verdina in future articles.
Warner covered additional malicious activities on that same netblock, including phishing and tax refund scams that point to a cluster of nameservers with several subdomains and nameservers hosted on Shinjiru IP addresses. Dr. Warner also states that these nameservers are used by a group of scammers carrying out business email compromise (BEC).
Recent posts on Shinjiru's live support website, 247livesupport.biz, confirm that Shinjiru directly operates these domains and associated nameservers in addition to several other domains and nameservers, which you can view in the RiskIQ TIP. These nameservers connect to thousands of domains, many of which are clearly intended for malicious purposes.
You can see all the threat infrastructure linked to Shinjiru uncovered in this investigation in RiskIQ's Threat Intelligence Portal here.
Linking Bulletproof Infrastructure Illuminates Threats to Your Organization
Shinjiru's relationships with other providers can be seen through rented IP space and routing connections, which can be used to identify additional bulletproof hosting companies. Providers often foster relationships with authorities in countries prone to corruption or otherwise unconcerned with certain types of illicit activity. Traffic to or from Shinjiru's IP space or domains registered with the company should be treated as suspicious.
Tracking and uncovering threat infrastructure are critical in protecting your organization from this top web-based threat. Be sure to check in on RiskIQ's Threat Intelligence portal as we continue to track bulletproof hosting activity and infrastructure and publish the intelligence that can help you defend your organization.
For the full report and complete analysis, including IOCs, visit the intelligence card here.