In the ever-evolving landscape of cyber threats, a recent investigation has shed light on the operations of an emerging cybercriminal known as Coquettte. This individual has been utilizing the services of Proton66, a Russian bulletproof hosting (BPH) provider, to orchestrate and distribute malware campaigns. The discovery was made by DomainTools, a threat intelligence firm, which identified a fake website, cybersecureprotect[.]com, masquerading as an antivirus service and hosted on Proton66’s infrastructure.
The Role of Bulletproof Hosting in Cybercrime
Bulletproof hosting services like Proton66 offer cybercriminals a haven to host malicious content with minimal risk of takedown. These services are notorious for their leniency towards illicit activities, providing a robust platform for distributing malware, phishing campaigns, and other cyber threats. Proton66, in particular, has been linked to various campaigns involving malware such as GootLoader, Matanbuchus, SpyNote, Coper (also known as Octo), and SocGholish. Additionally, phishing pages hosted on Proton66 have been disseminated via SMS messages, deceiving users into divulging sensitive banking credentials and credit card information.
Coquettte’s Modus Operandi
Coquettte’s operations involve distributing malware under the guise of legitimate antivirus tools. The deceptive strategy includes offering a ZIP archive named CyberSecure Pro.zip, which contains a Windows installer. Upon execution, this installer downloads a second-stage malware from a remote server, which then delivers additional payloads from a command-and-control (C2) server identified as cia[.]tf. The second-stage malware is a loader known as Rugmi (also referred to as Penguish), previously utilized to deploy information stealers like Lumma, Vidar, and Raccoon.
Operational Security Failures and Exposure
A critical operational security (OPSEC) lapse by Coquettte led to the exposure of their malicious infrastructure. An open directory on the fake antivirus website inadvertently revealed the staged malicious payloads, providing investigators with valuable insights into the threat actor’s methods. Further analysis uncovered a personal website where Coquettte claims to be a 19-year-old software engineer, pursuing a degree in Software Development. The registration of the cia[.]tf domain with the email address root@coquettte[.]com confirmed Coquettte’s control over both the C2 server and the counterfeit cybersecurity site used as a malware distribution hub.
Broader Implications and Connections
Coquettte’s activities extend beyond malware distribution. The individual has been associated with websites selling guides for manufacturing illegal substances and weapons. Investigations suggest a loose affiliation with a broader hacking group known as Horrid. The overlapping infrastructure indicates that Horrid may serve as an incubator for aspiring cybercriminals, providing resources and support to individuals like Coquettte seeking to establish themselves in underground hacking circles.
Lessons in Operational Security
This case underscores the critical importance of robust operational security practices. Even minor lapses can lead to significant exposure, unraveling complex cybercriminal operations. For instance, the inadvertent exposure of malicious payloads due to an open directory highlights how simple oversights can compromise an entire operation. Similarly, the use of identifiable personal information, such as the email address linked to the C2 server, further illustrates the consequences of inadequate OPSEC measures.
The Role of Threat Intelligence
The exposure of Coquettte’s activities was facilitated by diligent threat intelligence efforts. By monitoring and analyzing suspicious domains and hosting services, researchers can uncover and disrupt malicious campaigns. This proactive approach is essential in the fight against cybercrime, as it allows for the identification and mitigation of threats before they can cause widespread harm.
Conclusion
The unraveling of Coquettte’s cybercriminal activities serves as a stark reminder of the vulnerabilities inherent in poor operational security practices. It also highlights the critical role of threat intelligence in identifying and mitigating emerging threats. As cybercriminals continue to exploit bulletproof hosting services and other resources to conduct illicit activities, the cybersecurity community must remain vigilant, continuously adapting strategies to counteract these evolving threats.
