Blog

RiskIQ's Team Atlas has uncovered still more infrastructure actively serving WellMess/WellMail. The timing here is notable. Only one month ago, the American and Russian heads of state held a summit wherein Russia's aggressive cyber campaigns topped the list of President Biden's strategic concerns. Given this context, RiskIQ’s Team Atlas paid particular attention to APT around and after this summit, which took place on June 16. 

This report will be of particular interest to those tracking APT29 and targets and victims of WellMess/WellMail, who may benefit from the tactical intelligence provided below.

RiskIQ's research team leverages our Internet Intelligence Graph to analyze known campaigns of widely used malware families to fingerprint trends in malicious infrastructure. We recently continued our analysis of Agent Tesla, leading us to identify the XAMPP web server solutions stack being used to serve Agent Tesla and Formbook malware. 

This latest analysis shines new light on the Agent Tesla ecosystem, the TTPs its operatives are using, and how RiskIQ users can now leverage the XAMPP web component to identify hosts that distribute malware and research other potentially malicious infrastructure. 

In our article "Bulletproof Hosting Services: Investigating Media Land LLC," we examined Media Land LLC, the organization ran by cyberthreat mogul Alexander Volosovik. We delved into its hosting infrastructure and activities, including domain registration services that facilitate and enable various malicious campaigns. 

We've done further infrastructure analysis to connected our previous research on Media land activities, including our articles on the Grelos Skimmer, the Inter Skimmer, and Bulletproof hosting, to Volosovik's domain registration and fast-flux services. Fast flux is a DNS technique used to mask botnets by quickly shifting among a network of compromised hosts, which act as proxies to enable criminals to evade detection.

Here, we'll analyze Volosovik's fast-flux offering patterns as seen in RiskIQ data, using several indicators to identify additional aliases, accounts, and domains connected to Volosovik. As we surface these digital relationships, we'll be able to connect previous research from RiskIQ and other security companies to Volosovik's services, showing their prevalence across the global threat landscape. 

Today Microsoft announced its intent to acquire RiskIQ, representing the next stage of our journey that's been more than a decade in the making. We couldn't be more excited to join forces to enable the global community to defend against the rising tide of cyberattacks. 

RiskIQ was conceived to preserve the original promise of the Internet—bringing people together. Connecting people across the world and making sure those connections are safe is something worth defending every single day. That hasn’t changed.

When RiskIQ first launched, the digital enterprise was shifting to the Internet, the start of digital transformation. SaaS; Mobile apps were suddenly everywhere; the cloud was becoming the basis of development—essentially, the Internet was becoming the network, and the extended enterprise was born.

What happens in the span of a minute across the internet? 

Lately, we've seen the global threat landscape get broader, more chaotic, and more unpredictable. As the internet grows, so does the scale of threat activity targeting organizations, which expanded their digital presence and accelerated their cloud adoption in the wake of the COVID-19 pandemic. 

Our 2021 Evil Internet Minute aims to illuminate the top threats facing organizations today and put the year's cybersecurity research into context by framing it on a micro-scale. We leveraged our Internet Intelligence Graph and favorite third-party findings to closely examine the malicious activity that transpires across the world every 60 seconds. 

Bulletproof hosting (BPH) is a collection of service offerings catering to internet-based criminal activity. These businesses often operate in a grey area, attempting to appear legitimate while shielding the illegal activity they host from disruption amid abuse complaints and takedown requests. Providers often foster relationships with authorities in countries prone to corruption or otherwise unconcerned with certain types of illicit activity. 

TrendMicro summarized BPH in a great graph covering three different types of BPH providers: those using stolen/compromised assets, those with a short-term lease, and providers leveraging their own data center/co-location.

In this first post in a new series of articles, we'll focus on bulletproof hosting providers with more established infrastructure, including Media Land LLC, one of the most infamous providers in the threat landscape. Our analysis of this infrastructure surfaced thousands of domains linked to threat campaigns of all kinds, showing the ubiquity, and utility, of bulletproof hosting providers. 

In much of our recent analysis of threat infrastructure, we've seen the digital credit card skimming ecosystem grow as we uncover more actors, tooling, services, and economies that comprise it. We also see distinct patterns emerge in the infrastructure used and shared by these entities. 

Over the last few years, Alibaba IP space has hosted many domains used for digital skimming and other malicious behavior. As bulletproof hosting providers host a considerable portion of skimming campaigns, the popularity of Alibaba IP space may result from one of these bulletproof services abusing Alibaba hosting services. Recently, some of these domains have also abused Google user content hosting.

While investigating infrastructure related to the MobileInter skimmer, our researchers found that a Google IP address briefly played host to one of its skimmer domains. This IP then hosted a domain offering a helpful service for card skimmers, allowing them to authenticate stolen payment data for a fee. From this data point, RiskIQ's Internet Intelligence Graph helped our researchers identify several related websites, services, and social media accounts connected to this authentication activity known as bit2check. Some bit2check domains share the same hosting pattern as Magecart domains observed abusing Alibaba and Google hosting services.

The Microsoft Exchange vulnerability was a global-scale security issue that affected thousands of organizations across the world. With the prevalence of Microsoft Exchange servers across the global attack surface, the sheer size of this incident goes well beyond security. In reality, this is a big data problem. 

RiskIQ has continuously collected internet data for more than a decade to put the vulnerability's scope into context so our customers can respond rapidly. However, in the process, we noticed that not all countries are patching this critical vulnerability effectively. 

The results of scans from our global sensors show that despite this being a ubiquitous issue, each country has reacted very differently, with patching success varying wildly across borders and continents.

How did different organizations and hosting providers fare in different regions around the world? We looked at our data to break it down:

The Sysrv-hello botnet is deployed on both Windows and Linux systems by exploiting multiple vulnerabilities and deployed via shell scripts. 

Like many of the threat actor tools we've covered, it continuously evolves to fit the needs of its operators and stay ahead of security researchers and law enforcement. 

Over time, there have been several slight changes in the shell scripts that install the Sysrv-hello implant on machines. There have also been incremental changes in how the executable gets deployed on host systems. In our latest threat intel analysis, RiskIQ researchers have identified one of its latest developments, including the use of drive-by downloads and two new Monero wallets.