It has been observed that beginner cybercrime actors leverage the services of Russian bulletproof hosting (BPH) providers called Proton 66 to promote operations.
The findings were from domainools and detected activity after discovering a fake website named Cybersecureprotect[.]com is hosted on Proton66, pretending to be an antivirus service.
The Threat Intelligence Company said it has identified operational security (OPSEC) failures in the domain, leaving malicious infrastructure exposed, revealing malicious payloads staged on the server.
“This revelation led the rabbit hole to the operation of an emerging threat actor known as Cockett, which is to reveler amateur cybercriminals who distribute malware and reveler bulletproof hosting of Proton 66 to engage in other illegal activities,” he said in a report shared with Hacker News.
Also linked to another BPH service known as Prospero, Proton66 is attributed to several campaigns distributing desktop and Android malware such as Gootloader, Matanbuchus, Spynote, Coper (aka Octo), and Socgholish. The phishing pages hosted on the service are propagated via SMS messages, where users enter their bank credentials and credit card information to process them.
Coquttte is one such threat actor who takes advantage of the benefits offered by the Proton 66 ecosystem to distribute malware under the guise of legitimate antivirus tools.
This will retrieve the format of a ZIP archive (“Cybersecure Pro.zip”) containing the Windows installer and download two stages of malware from the command and control (C2) server (“It will download two stages of malware from a remote server to deliver secondary payloads from the CIA.[.]tf “).
The two stages are loaders classified as Lugmi (aka Penguish), which have been used in the past to deploy information steelers such as Lumma, Vidar, and Raccoon.
Further analysis of Coquttte’s digital footprint revealed a personal website claiming to be “a 19-year-old software engineer and pursue a degree in software development.”
Furthermore, the CIA[.]The TF domain is registered at the email address “root@coquette”[.]com, “Confirm that the threat actor has controlled the C2 server and operated the fake cybersecurity site as a malware distribution hub.
“This suggests that Cockette is a young individual, perhaps a student, and coincides with amateur mistakes (like open directories) in cybercrime efforts,” Domaintools said.
Threat actor ventures are not limited to malware. Because they also run other websites that sell guides for the manufacture of illegal substances and weapons. Cockette is thought to be loosely tied to the broader hacking group, the scary name.
“The overlapping infrastructure patterns suggest that the individuals behind these sites may be calling themselves “terrifying,” and Coquette is an alias for one of its members rather than a lonely actor,” the company said.
“The group’s partnership with multiple domains related to cybercrime and illegal content suggests it serves as an inspiration or an incubator for amateur cybercriminals, providing resources and infrastructure to those seeking to establish themselves in underground hacking circles.”
Source link
