New Research Uncovered Dark Internet Service Providers Used For Hacking

Bulletproof hosting services, a type of dark internet service provider, offer infrastructure to cybercriminals, facilitating malicious activities like malware distribution, hacking attacks, fraudulent websites, and spam. 

These services evade legal scrutiny, posing a significant challenge to global cybersecurity. Understanding and identifying bulletproof hosting networks is crucial for cybersecurity researchers, law enforcement agencies, and enterprises. 

By recognizing these services, researchers can uncover potential sources of malicious activities, law enforcement can target the root of cybercrime, and enterprises can develop more robust security strategies to protect against emerging threats.

Cybersecurity researcher “Fox_threatintel” identified three IP addresses (185.215.113.25, 185.215.113.9, and 185.215.113.67) associated with Redline C2 infrastructure.

2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide

These IP addresses, hosted by ELITETEAM, a bulletproof hosting service provider, operate within a network segment known for its lax regulation and association with malicious activities. 

Bulletproof hosting services, often located in countries with weak legal enforcement, enable cybercriminals to evade detection and perpetrate various illegal activities, including malware distribution, phishing, and ransomware attacks.

Cybercriminals are able to carry out their malicious activities without fear of repercussions when they use bulletproof hosting services like ELITETEAM. 

The services offer highly concealed and anti-censorship hosting, enabling cybercriminals to evade law enforcement and carry out large-scale phishing attacks, web application attacks, ransomware propagation, and botnet support. 

By hosting malicious infrastructure, these services contribute to the spread of cybercrime, disrupting businesses, compromising sensitive data, and undermining global cybersecurity efforts.

An investigation into network segment 185.215.113.0/24, suspected to be bulletproof hosting, revealed several indicators. All 256 IPs were flagged malicious by VirusTotal and ThreatFox identified malware families like Amadey and RedLine. 

ZoomEye identified common open ports for remote access, web services, email, and potential command-and-control, while analysis of SSL certificates and JARM values pointed to a high degree of customization within the network segment. 

Afterwards, the investigation was broadened to include IP addresses that were connected to one another based on shared SSL certificate fingerprints and distinctive HTTP content. 

This expansion identified potentially associated IPs in different ASNs and suggested 185.208.158.0/24 as another bulletproof hosting network due to shared AS location, route relationships, SSL certificate overlap, and a high percentage of malicious IPs identified by VirusTotal.

A cybersecurity researcher identified three Redline C2 IP addresses within a bulletproof hosting network and revealed that this network, along with the associated network segment 185.208.158.0/24, is likely controlled by a single hacker group. 

The shared SSL certificate fingerprints, the overlapping timelines of malicious activity, and the geographical proximity all contribute to its support. 

The bulletproof hosting provider, ELITETEAM, based in the Seychelles, is known for facilitating cybercrime operations, making this network a hub for malicious activities.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free