The emergence of cybercrime-as-a-service (RaaS) has lowered the entry barrier into cybercrime by allowing cybercriminals to specialize in only one aspect of the attack supply chain.
This can be coding malware, developing phishing kits, crafting initial access methods, releasing vulnerability exploits, or sharing data dumps listing potential victims.
However, at the end of the chain, the piece of malware must be sent from somewhere. That’s why bulletproof hosting (BPH) has become a critical infrastructure service in cybercrime.
What is Bulletproof Hosting?
Bulletproof hosting is a service provided by an internet hosting operator, usually located in lenient jurisdictions or countries where law enforcement has poor resources, that serves all types of activity, including illegal ones.
BPH providers can allow online gambling, illegal pornography, botnet command and control servers, spam, copyrighted materials, hate speech and misinformation.
According to cyber threat intelligence firm Intel471, many BHP providers “comprise a murky chain of unresponsive shell companies with false registration information.”
While most internet service providers (ISPs) would collaborate with law enforcement when their services have been found to help criminal activities, BPH providers “use a variety of complex technical arrangements to make takedown and abuse requests difficult,” Intel471 explained in a January 22 blog post.
“This can involve buying IP address ranges from other nefarious bulletproof providers, using fast-flux hosting and routing malicious traffic through ever-shifting proxy and gateway servers in other regions,” Intel471 explained.
Some BPH providers allow certain low-level illegal activities but not criminal behaviors to avoid triggering law enforcement action.
Three Prolific BPH suppliers: yalishanda, PQ Host and ccweb
Several popular BPH services are run by threat actors.
Intel471 described three services owned by threat actors yalishanda, pqhosting and ccweb.
The yalishanda threat actor is one of the most prolific BPH suppliers in the underground cyberspace, according to Intel471.
It offers an ever-changing reverse proxy network, which has been associated with the Snatch Team data extortion and ransomware group, the defunct GandCrab ransomware, Smokeloader malware, phishing attacks and malware distribution.
The threat intelligence firm said the threat actor’s real name is Alexander Alexandrovich Volosovik, a Russian national operating out of Russia having previously worked in Beijing.
Perfect Quality Hostin (aka PQ Hosting, previously MoreneHost) has a clear website that offers “super servers” in the Netherlands. It appears as a legitimate hosting provider, but some of its infrastructure has been linked to malicious activity, Intel471 said.
PQ Hosting has hosted infamous ransomware such as FiveHands (aka HelloKitty) and DarkSide, which infected the US energy company Colonial Pipeline in 2021 and resulted in the shutdown of its critical energy pipeline as a precaution.
The ccweb threat actor is another prolific BPH provider for the cybercriminal world. Its infrastructure, which functions like a content delivery network (CDN) rather than a hosting provider, traces to ISPs in Saudi Arabia, Mexico and the Dominican Republic.
“The actor also offers fast flux on infected computers in regions including Asia, Africa and the Middle East, making it difficult to block content served due to changing IP addresses,” Intel471 wrote.
The threat actor’s services have been linked to many ransomware variants, including Bad Rabbit, GandCrab, LockBit 2.0 and STOP/DJVU, and several malware samples (BankBot, Dreambot, Godzilla, Gozi ISFB, Nymaim, Pony Loader, Privateloader and SmokeLoader).
Blocking BPH Providers, an Efficient Way to Fight Against Cybercrime
BPH providers use a range of techniques to evade detection.
Typically, they consistently change their autonomous system (AS) and IP address ranges – internet routing protocols used to identify a connected device and allow it to communicate with others within the network.
However, BPH services can still be tracked to provide real-time intelligence. “Observing changes in BPH infrastructure allows security teams to stay ahead of criminal operators and proactively prevent cyber threats,” Intel471 added.
“Targeting and blocking BPH providers can be one of the most effective defense mechanisms from a cost-benefit perspective that can often halt malicious activity early in the kill chain.”