Si Cyber Intel: ‘Sochi’ Launches Bulletproof Hosting Service For Malware Operators & Spammers
The sophisticated actor profile “Sochi” is well known on the dark-web and higher-tier hacking forums, such as Exploit and Verified, as an active primary monicker used by two Russian-speaking persons. The malicious cyber group Sochi, is known to be involved in a number of operations ranging from formjacking and malware to buying and selling credit cards, compromised e-commerce sites and using an Android Trojan called “Red Alert” on these forums. Researchers have also identified that Sochi operates and sells a JS Sniffer named “Inter”, and that it has been linked to a number of financial fraud cases that have been targeting US banks and payment systems such as Sun Trust, Wells Fargo and PayPal. The cybercrime group has recently been recognised for operating a highly advanced bulletproof hosting service satisfying malware and spammer operators. Researchers from the Insikt Group believe that due to the sheer number and comprehensiveness of these criminal operations linked to Sochi, they are a highly sophisticated threat actor group.
Image 1: Recent events involving Sochi
Source: RecordedFuture/Insikt Group
What are Bullet Proof Hosting Services (BPHS)?
A normal web hosting service we are accustomed to is based on a company that operates a facility, usually what is referred to as a data center, which contains huge numbers of servers. Everything on the Internet needs an area to reside in. Web hosting services companies provide space on these servers which are then either owned or leased for use by customers. They also provide Internet connectivity so people can reach their websites and data hosted on those servers. Most of these services have strict policies regarding what can and cannot be stored on these servers.
Bulletproof hosting operations are like regular web hosting, however these companies have a “don’t ask, don’t tell” philosophy. Bulletproof hosting services are often found in countries with more relaxed laws about what type of content is hosted on their servers, and also have less strict extradition laws, therefore making it easier to evade law enforcement.
What kind of threats reside on these servers?
- Exploit Kits: These servers can host exploit kits, which are malicious toolkits that attackers use to help exploit a computer. The kits are methods of injecting malware onto an unsuspecting user’s machine via software vulnerabilities.
- Botnet Command and Control Centers: A botnet command and control center is the master controller of a botnet. Botnets are computers infected by malware that allow the hacker to gain control in order to send out spam, malware, spyware and control other computers, turning them into another bot in the group
Nefarious Storage Services:
- Data Stashes: They can also store stolen data that has been obtained via data breaches, corporate espionage, credit card databases and more.
- Malware Storage: Hackers can store their entire malware and tool library on these remote servers, as these servers provide much larger storage options than a home computer.
- Black Market Websites: People can also host “hidden” websites on these servers. These sites host pornography, online gambling, and black-market websites on the deep web. Other black-market websites can have anything under the sun sold on them, such as credit card numbers, fake passports, drugs, illegal animals and even offer services such as hit men and hackers for hire.
The Sochi Cyber Threat Actor
The threat actor group “Sochi” is a moniker primarily active on the high-tier hacking forum Exploit where they have had over 500 forum posts since their registration in March 2017. This threat actor profile focuses specifically on the group’s activity on Exploit, as this is where they are most active on a day to day basis. Sochi is involved in such a wide variety of criminal operations – malware development, bulletproof hosting, e-commerce site compromise, cash out service, purchasing compromised banking credentials, and others. Sochi has been observed by the cyber threat intelligence community to be operating on the forums Verified and Club2CRD under the usernames “xx5” and “SSN,” respectively. Insikt Group was able to link these usernames together as a single threat group as they frequently posted the same content across different forums and shared combinations of the Jabber accounts:
- Older Jabber accounts that are seemingly no longer in use include:
Targeting E-Commerce Sites
On this subject, Inksit Cyber Threat Intel Group stated: “It is nearly certain that the threat actors behind Sochi use Inter themselves to target credit card data from e-commerce websites. In October 2018, Sochi created a thread on Exploit 1 stating they were buying access to e-commerce sites running Magento, OpenCart, and ecommerce platforms located in any nation other than those of the CIS. Sochi stated they were willing to pay up to $8,000 for each. The seller must have access to the compromised site’s admin panel or an active shell, the site must have its own payment form, and the site must process at least three credit card transactions per day. Sochi is frequently seen bidding on e-commerce sites being sold by various actors in the auction section of Exploit forum.”
Insikt threat Intel Group assessed with high confidence that Sochi monetizes at least some of the stolen credit card data by reselling it to the threat actor “LookingtoBuy” (Intelligence Card). LookingtoBuy is a bulk buyer of CNP payment data of US cardholders, who has generally positive feedback from forum members. Both Sochi and LookingtoBuy have stated publicly that they work with one another on multiple occasions.
With regards Sochi’s Bulletproof Hosting, Inksit Group further stated: “Analysis of discussions on Exploit forum show that Sochi is likely partnered with three different bulletproof hosters who provide hosting for Red Alert specifically: “volhav” (Intelligence Card), “Whost” (Intelligence Card), and “yalishanda” (Intelligence Card). All of these actors posted messages to the Red Alert sales thread describing Sochi as a “partner” or “client.” In regards to Inter, Sochi will configure the control panel on a client’s server free of charge. Also, in the past, Sochi has recommended that clients use the hosting provider Inferno Solutions (Intelligence Card) and has even offered a free month of hosting to entice a client to host Inter there. Sochi has made claims that they have a connection of sorts to 3 Inferno Solutions but did not provide any additional details. However, it is possible that relationships with these hosting providers will change as Sochi is attempting to offer hosting themselves. In February 2019, Sochi began advertising their own bulletproof hosting service that the actor claims is ideal for malware, spam, phishing, brute force attacks, and scams. Sochi made it clear that they will have physical access to their client’s servers, meaning one of the group or another partner works or owns this datacenter. Insikt Group assesses with moderate confidence that Inferno Solutions is the company behind this bulletproof hosting service, and that Sochi has partnered with them in some manner.”
- The sniffer can automatically detect the type of payment forums.
- Automatic detection of card type: e.g. Visa, MasterCard, and Maestro.
- Excludes duplicate payment data.
- The ability to create and customize different fields for parsing.
- Statistics showing new credit cards harvested per day, infected domains, and visual graphs of credit cards from the previous week.
- Search credit cards by different parameters or keywords.
- Customize how credit cards are exported. Filter and export credit cards instantly.
- User-friendly interface with the ability to view individual credit cards.
- The sniffer can communicate with the control panel directly or through a gateway.”
Analysis of the Inter code obtained by Insikt Group confirms that it is an advanced credit card skimming framework that is indeed worth $1,300USD. One notable aspect of the code that is not advertised by Sochi is that the skimmer transforms the collected credit card data into a GIF image format before transmitting it to the control panel, which is exfiltrated with a GET request. Inter can use command and control panels both over the internet or the Tor Onion Service Protocol in which the panel is hosted on an Onion site. These features are configured in the file gate_tor.php. By default, the Tor control panel URL is set to http://exafatnxusosovkm[.]onion. Analysis discovered that this is not simply an example, but a live Onion site service currently hosting an inter control panel. It is unknown why this Onion site was included in the code. This is possibly an error on the part of Sochi, who failed to remove traces of the infrastructure they themselves use, though this is uncertain.
Image 2: Tor gate PHP code from Inter showing default control panel address and use of GIF format for data exfiltration
Source: RecordedFuture/Insikt Group
Risk mitigation and network defence
Some instances of Inter can be identified by searching for different strings from the code such as “GetCCInfo: function” in the source code of a website. Insikt Group used the tool PublicWWW to identify multiple campaigns in the wild, that were sending what is likely skimmed credit card data to the URL https://routingzen[.]com/gate.php (Intelligence Card). Insikt Group assesses that the actor behind this attack is not very proficient with either formjacking or JS Sniffers as the full scraping code was inserted in its entirety on the main page of the target website (without hosting the scraping code remotely or even on a separate webpage) and with no attempt at obfuscation aside from encoding the panel URL as Base64. Regardless, any communication to this URL should be considered malicious. General recommendations for e-commerce sites looking to avoid formjacking attacks using the Inter framework and others include:
- Closely monitor your checkout pages for changes
- Ensure that only authorised domain resources are in use
- Use the integrity-checking functions of your content delivery network (CDN) to validate resource integrity
Precautions to defend yourself against the Android bot Red Alert are much more straightforward:
- Only download apps from the Google Play Store
- Avoid downloading apps from any third-party app stores
- Do not click on suspicious advertisements
- Never click on suspicious URL even if it is sent via SMS from one of your trusted contacts
Sochi is a sophisticated threat actor group active on high-tier criminal forums with an extensive reach into very different facets of cybercrime. The ability to develop, maintain, and sell two different types of malware, target e-commerce sites, and operate a bulletproof hosting service, all while offering round-the-clock support for all their clients, indicates that Sochi is a highly skilled and well-coordinated group of individuals with diverse skill sets. Their previous cashout service and current interest in PayPal account indicate that this same group is also proficient in some form of money laundering. Insikt Group believes that the services Sochi offers will continue to grow in popularity, and that the threat actor and those they facilitate will continue to pose a serious threat to e-commerce, financial institutions, and credit card holders throughout the world.
For information about Si Cyber's services, please contact firstname.lastname@example.org