Dark Cloud Network Facilitates Crimeware

We’ve released a report about a commercially driven fast flux network that is facilitating criminal activity such as malware, spam bots, ransomware, carder sites and more.

Executive Summary/Overview

The RiskAnalytics Threat Intelligence Team has been tracking fast flux Robot Networks (botnets) for years as part of our day-to-day threat intelligence operations. Fast flux is a technique that uses compromised computers to provide scalability, geographic diversity, anonymity and redundancy to organized cybercrime operators. The fast flux infrastructure relies on computing resources stolen from the unwitting users of infected endpoints. We have conducted research on a particular fast flux proxy network being rented for use by cyber criminals to create a profitable black market hosting environment.

Some of the key findings in this RiskAnalytics Threat Intelligence report include:

  • A fast flux proxy network is actively being used in several targeted or global crimeware campaigns.
  • The network uses fast flux and reverse proxies to provide bulletproof hosting services.
  • Thousands of systems are participating in this unusually complex botnet arrangement driven by crimeware — malicious code designed to facilitate fraud, identity theft, ransomware and other illegal activity.
  • Users of the infected endpoints could be unaware that their systems are participating in this botnet.
  • The infrastructure is used by botnets, spambots, click fraud, credential stealers, ransomware and trojans.
  • Websites selling stolen credit card data — carder sites — have been using the network for years.
  • Of the campaigns analyzed, IP addresses in the Ukraine host most of this fast flux proxy infrastructure — almost 84 percent of it. Russia hosts 12 percent and Romania hosts 3 percent, with a small mix of global countries accounting for the rest.

This comprehensive report shows several examples of how crimeware is using this fast flux network to negatively impact users and businesses. The analysis demonstrates the global spread of various crimeware facilitated by this fast flux proxy infrastructure.

Get the full report here.

Posted in Blog.