Cybercriminals do not operate as lone wolves. One of the most significant developments over the last two decades is how cybercriminals have developed services and products that are sold to other cybercriminals. This development, known as cybercrime-as-as-service, has lowered the entry barrier into cybercrime, enabled threat actors to specialize and allowed internet-based crime to flourish at scale. For example, a bad actor doesn’t have to code malware — it can be purchased in underground markets. The distribution is taken care of by botnet operators, who offer spamming services to send malware to victims. Victims can be selected by buying database dumps with email addresses from other vendors who trade and sell data breaches. But spam has to be sent from somewhere, and malware has to be hosted somewhere on the internet. This is where we arrive at the most fundamental infrastructure requirement for cybercrime: connectivity. Actors can’t commit crimes on the internet if they don’t have access to it.
Internet service providers (ISPs) are a key partner in stopping malicious activity. Most ISPs accept abuse complaints from law enforcement agencies, their peers, security researchers and other sources. If there is a machine on their network that is serving malware, the machine can be taken offline and the offender’s account revoked. Cutting cybercriminals off from the internet would seem to be the logical course of action. But what if the service provider doesn’t respond to an abuse request? What if the organizations providing connectivity comprise a murky chain of unresponsive shell companies with false registration information? This “bulletproof” hosting (BPH) is sought-after by malicious hackers, spammers, malware distributors and botnet operators. BPH allows cybercriminals to conduct certain types of activity with a low risk of being shut down, or at least a guarantee of a period of time when harmful activity can be carried out before it’s shut down.
Stopping BPH is a frustrating, winding rabbit hole. BPH providers have honed an internet version of the shell game that makes it difficult to permanently boot them from the internet. BPH providers carefully evaluate local laws and calibrate their accommodation of different types of illegal activity, disallowing activity that would trigger more aggressive shutdown attempts (think hosting abusive imagery). More resilient and obfuscated network arrangements may allow for riskier types of crime, such as credit card fraud or phishing pages. BPH providers often operate in regions where law enforcement may have less interest or few resources to investigate their operations. Additionally, BPH providers use a variety of complex technical arrangements to make takedown and abuse requests difficult. This can involve buying IP address ranges from other nefarious bulletproof providers, using fast-flux hosting and routing malicious traffic through ever-shifting proxy and gateway servers in other regions. Another frustrating aspect of BPH is its long-term persistence. Several popular BPH services are run by threat actors whose real-life identities have been known for a decade or more in some instances.
The goal of cybersecurity defenders is to stop malicious activity as close to the start of the kill chain as possible. A crucial aspect of this is preventing communication with malicious domains and services, which are often hosted on BPH providers. For example, consider an employee that receives a phishing email that contains a link to a domain purported to host a software update. However, the update is actually a “loader” — a type of preliminary malware used by threat actors to gain a foothold on a machine. If an organization can get insight into the IP address ranges or autonomous systems (ASs) that are known to belong to a BPH provider, the domain or IP can be blocked by a firewall or forward proxy server if the employee clicks the link.
BPH services consistently change their ASs and IP ranges. Tracking these changes can allow defenders to quickly block access to new networks. For example, if a threat actor that has long been known to run BPH services and creates a new front company linked to a new but very small AS, it’s possible to say with high confidence that any of those IP addresses are likely to be malicious and thus safe to completely block. This type of high confidence and high-fidelity threat intelligence is possible because of the collection of historical technical intelligence and continued adversary monitoring.
The chart below characterizes how technical indicators related to BPH tend to change. Indicators of compromise (IoCs) and IP/domains constantly shift, but BPH services can still be tracked to provide real-time intelligence. Observing changes in BPH infrastructure allows security teams to stay ahead of criminal operators and proactively prevent cyber threats. There are also less volatile data points, such as ASNs, front companies and threat actors, that can be used for accurate, predicative calculations of malicious activity.
The following section outlines prominent players in this arena that have operated for years as BPH providers and provides a description of their operations.
Actor yalishanda
The threat actor yalishanda has been one of the most prolific BPH suppliers in the cyber underground. The actor’s infrastructure has been associated with the Snatch Team data extortion and ransomware group, the defunct GandCrab ransomware, Smokeloader malware, phishing attacks and malware distribution. The actor’s real name is Alexander Alexandrovich Volosovik, who is a Russian national operating out of Russia and previously worked in Beijing, China. “Yalishanda” is a colloquial Chinese spelling for “Alexander.” The actor’s real name has been known to us since early 2017 due in part to the use of the name that indicated an accurate identity when verified and cross-referenced against other identifiers. Volosovik’s name eventually surfaced publicly in 2019.
What’s the service? The actor offers an ever-changing reverse proxy network. The network provides a pool of IP addresses customers can use for a wide range of activity, such as phishing websites, ransomware data leak blogs and malware command and control (C2) sites. To provide added resilience, the service “fluxes” or rotates the clients’ domains across the pool of IP addresses at a particular interval of time. Fast flux is a technique that enables a domain name to change IP addresses at frequent intervals as short as a few minutes, which makes blocking traffic to those new IPs an unending chase. The actor also provides domain registration services for an extra cost.
Does yalishanda have any aliases? The actor uses a variety of business names, including newer ones. These front-facing companies offer a veneer of legitimacy by appearing to be technology-related entities registered in different regions in Russia. The actor has long operated under a company named Media Land LCC, which is registered under Volosovik’s name and lists an address in St. Petersburg, Russia.
Recent malicious activity: The actor’s infrastructure recently hosted phishing campaigns targeting online retailers, technology companies, banks and government agencies around the world.
PQ Hosting
Perfect Quality Hosting aka PQ Hosting is not as technically complex as other BPH offerings but is nonetheless a player in this market. It appears as a legitimate hosting provider but some of its infrastructure has been linked to malicious activity. It has a clear web site that offers “superservers” in the Netherlands. It has gone by other names in the past, including MoreneHost.
Why is it bad? Scraping below the surface of this company reveals its links to underground activity. An actor using the name pqhosting has promoted the service on at least 14 different cybercrime forums. Infrastructure linked to PQ Hosting has ties to ransomware, malware variants and cryptocurrency “mixers,” which aim to help cybercriminals launder cryptocurrency. A notable actor linked to the service is the DarkSide ransomware group, which infected the U.S. energy company Colonial Pipeline in 2021 and resulted in the shutdown of its critical energy pipeline as a precaution. Its infrastructure has also hosted the FiveHands aka HelloKitty ransomware.
What’s with the name change? PQ Hosting used to be called MoreneHost, but MoreneHost was forced to rebrand. The service now is one of the most popular in the underground, and it appears to be growing, including the launch of new data centers. This likely indicates the actor will further develop capabilities, balancing some legitimate hosting business while in parallel serving the underground community.
Who does it appeal to? The business PQ Hosting SRL is officially registered, and the company’s website shows no indication the service is tolerant of illegal domains. This likely is an attempt to add legitimacy to the business and obscure its bulletproof tendencies, which is evidenced by the advertisements on both Russian- and English-language underground forums.
Actor ccweb
Who is ccweb? The Russian-speaking actor ccweb is a prolific provider of BPH services and has been active in the underground since 2010. The actor has worked with high-profile cybercrime gangs, which is indicative of ccweb’s reputation in the underground.
How does the actor’s service work? The actor’s infrastructure is designed as a content delivery network (CDN) rather than a hosting provider. Customers supply an IP address for where the content is hosted, and ccweb’s complex infrastructure of fast-flux proxy nodes is used to provide resiliency. This system has been used to support cybercrime forums, infrastructure for malware services and ransomware groups, online stores for credentials and card information and phishing sites. Some of the online stores remained connected to the internet for a year or more. The actor’s infrastructure was linked to the LockBit 2.0 ransomware-as-a-service (RaaS) operation for more than six months. The LockBit ransomware family was one of the most common ransomware variants deployed globally in 2022 and 2023.
Where is the infrastructure? The threat actor regularly adds and drops IP address ranges that form proxy nodes within the infrastructure. Some of those IP address ranges trace to ISPs in Saudi Arabia, Mexico and the Dominican Republic. The actor also offers fast flux on infected computers in regions including Asia, Africa and the Middle East, making it difficult to block content served due to changing IP addresses.
What malware has been linked to ccweb? The threat actor’s services have been linked to ransomware variants including Bad Rabbit, GandCrab, LockBit 2.0 and STOP/DJVU. Numerous malware samples distributed via ccweb’s infrastructure include BankBot, Dreambot, Godzilla, Gozi ISFB, Nymaim, Pony Loader, Privateloader and SmokeLoader.
Summary
BPH services are highly sought-after by those in the cybercriminal underground. Targeting and blocking BPH providers can be one of the most effective defense mechanisms from a cost-benefit perspective that can often halt malicious activity early in the kill chain. The key is operationalizing real-time threat intelligence about BPH services when there are changes. Blocking IP ranges associated with known or probable malicious behavior protects systems from being inadvertently infected. This also has another effect: it raises the cost for adversaries. If threat actors buying BPH services are not seeing a return on their investment, the BPH providers must expend more resources to change up infrastructure to provide services that are more resilient. This is a way to counter the cybercrime-as-a-service ecosystem as well as aid in defense.
