Unveiling Dark Internet Service Providers: Bulletproof Hosting

Knownsec 404 team
12 min readDec 9, 2024

--

Author: Knownsec 404 team
Date: Dec 9, 2024

1. Abstract

Bulletproof hosting services provide the infrastructure for cybercriminal activities, enabling criminals to evade legal constraints and are often used for malware, hacking attacks, fraudulent websites, spam, etc. The bulletproof hosting network, known as a dark internet service provider, is a habitat specifically providing malicious infrastructure for cybercriminal activities.

As an important “invisible aid” for modern cybercriminal activities, bulletproof hosting poses a significant challenge to global cybersecurity. For cybersecurity researchers, law enforcement agencies, and related enterprises, identifying and understanding bulletproof hosting can better respond to the increasingly severe cybersecurity threats. Cybersecurity researchers who master how to identify bulletproof hosting networks can more effectively discover potential sources of malicious activities; law enforcement agencies strengthening the crackdown on malicious internet service providers can strike at the root of cybercrime; related enterprises understanding the operation mode and potential threats of bulletproof hosting can develop more refined security protection strategies. In summary, bulletproof hosting services are an indispensable part of the global cybercrime ecosystem. Identifying and effectively responding to this threat can better protect the cybersecurity of nations and enterprises.

In this paper, we first introduce bulletproof hosting services, then focus on describing the cybercriminal activities of the bulletproof hosting service provider ELITETEAM and its owned network segment “185.215.113.0/24”. Finally, based on the ZoomEye cyberspace search engine [1], combined with the concept of “behavioral mapping”, we observe and analyze the asset mapping data of this network segment. Through open ports, SSL certificate Subject values, SSL certificate fingerprints, JARM values, and unique HTTP content, we attempt to associate and expand to discover more suspected bulletproof hosting networks.

2. Overview

Based on the Redline C2 IP addresses published by cybersecurity researcher “Fox_threatintel” on Twitter[2], we found that three IP addresses (185.215.113.25, 185.215.113.9, and 185.215.113.67) all had port 7766 open and were located within the same network segment. During the analysis of this network segment, it was discovered that the service provider for this segment, ELITETEAM, is a bulletproof hosting service provider[3] closely associated with malicious online activities.

Figure 1: The tweet of cybersecurity researcher “Fox_threatintel”

According to the report “Overview of ELITETEAM Bulletproof Hosting Service Provider” [3] released by the S2 research team in September 2022, this network segment is a bulletproof hosting network operated by the ELITETEAM company. The organizational name in the WHOIS information of the network segment is “1337TEAM LIMITED,” based in Seychelles, with the actual controller still being the ELITETEAM company.

3. Introduction to Bulletproof Hosting Services

3.1 Brief Introduction to Bulletproof Hosting Services

Bulletproof Hosting (BPH) is a specialized hosting service in the field of cybersecurity that provides highly concealed internet infrastructure, often used by criminals to evade legal oversight. Bulletproof hosting services allow users to upload and host virtually any type of content, including but not limited to malware, botnet command-and-control (C&C) servers, spam platforms, illegal content (such as pornography, gambling), as well as hate speech and disinformation[4]. This service is primarily offered to malicious attackers seeking to hide their identity and activities.

The key feature of bulletproof hosting services is their choice of location: these providers typically set up data centers in countries or regions with lenient legal regulations, such as Russia, Ukraine, Moldova, Bulgaria, Seychelles, etc., allowing them to evade the laws of multiple jurisdictions[4].

In simple terms: bulletproof hosting services provide a “safe haven” for cybercriminals, enabling them to carry out illegal activities without being tracked or suppressed in an unregulated environment. Even content restricted by conventional hosting providers (adult content, malware, spam, etc.) is not deleted by bulletproof hosting service providers.

3.2 Characteristics of Bulletproof Hosting Services

Unlike traditional hosting providers, bulletproof hosting companies have a series of unique characteristics, mainly reflected in the following aspects:

  • Lenient Content Policies: Most conventional hosting services strictly review the types of content to prevent hosting illegal or unethical content. In contrast, bulletproof hosting imposes no such restrictions and even tolerates the uploading of malware, illegal gambling, pornographic content, etc.
  • Evasion of Legal Regulation: Providers of bulletproof hosting services usually choose locations in countries or regions with looser regulations or more legal loopholes. The enforcement of laws in these countries is weaker, making it difficult for law enforcement agencies to take effective legal action against these services. Thus, bulletproof hosting services offer a relatively safe space for malicious activities[5].
  • Non-Deletion of Content: Bulletproof hosting providers typically do not respond to content deletion requests and may even cooperate with users to resist court or law enforcement agency orders for deletion, enabling long-term hosting of illegal content.

The popularity of bulletproof hosting stems from its effectiveness in helping users bypass internet censorship, especially in highly regulated environments. For example, some bulletproof hosting companies located in Russia provide a relatively “free” space, aiding transnational criminal groups in large-scale activities such as phishing, malware distribution, and ransomware attacks.

Service providers of bulletproof hosting usually charge higher fees because they offer highly specialized concealment and resilience capabilities, making their prices significantly higher than those of conventional hosting services. However, despite the high costs, bulletproof hosting continues to attract a large number of malicious actors, extending its application far beyond the cybersecurity field[5].

Table 1: Bulletproof Hosting Services vs. Conventional Hosting Services

This comparison highlights the significant differences between bulletproof hosting services and conventional hosting services, particularly in terms of content policy and legal compliance.

3.3 The Harm of Bulletproof Hosting Services

Bulletproof hosting services have contributed to the spread of cybercrime on a global scale. For example, the APT28 group has launched over 80 attacks since 2015, utilizing bulletproof hosting services for large-scale phishing, data theft, and espionage activities against government institutions. By using bulletproof hosting services located in Russia and the Netherlands, they successfully evaded law enforcement interventions and continued their attacks[6].

This behavior demonstrates how bulletproof hosting services can become a breeding ground for long-term operations by criminals, posing significant challenges for cybersecurity firms and law enforcement agencies. Bulletproof hosting services provide robust logistical support for malicious activities such as phishing, ransomware, and espionage, enabling these activities to be conducted across borders.

3.4 Summary

This chapter discussed the characteristics, harm, and key role of bulletproof hosting services in cybercriminal activities. By understanding the operational methods of these services, we can clearly see how they provide shelter for cybercrime and enable malicious activities to persist by evading legal oversight.

4. ELITETEAM Cybercrime Activities

4.1 Introduction

ELITETEAM is a well-known bulletproof hosting service provider, often involved in global cybercriminal activities. The company is renowned for its support of malicious operations and ability to evade law enforcement interventions. ELITETEAM offers highly concealed and anti-censorship hosting services to its clients, aiding cybercriminals in evading legal and regulatory tracking. This supports a range of illegal activities including phishing, malware distribution, ransomware attacks, command and control (C&C) server hosting, and cross-border cryptocurrency scams.

ELITETEAM was registered in Seychelles on November 13, 2020, but is actually controlled by a Russian organization, primarily owning one autonomous system (AS): AS51381. As illustrated below, a query of the AS’s WHOIS information reveals that 1337TEAM LIMITED and ELITETEAM may be operated by the same controller, deeply involved in global cybercriminal activities, especially in bulletproof hosting, phishing, malware distribution, and cryptocurrency scams related to dark web markets.

Figure 2: WHOIS Information Diagram of AS51381

4.2 Cybercrime Activities and Impact

(1)Malicious IP Addresses and Phishing Activities

Case: IP addresses managed by 1337team Limited (such as 185.215.113.0/24) have been repeatedly reported as malicious on VirusTotal and ThreatFox, used in large-scale phishing attacks masquerading as investment and cryptocurrency platforms.

Impact: According to Interisle’s 2021 Phishing Network Survey, this subnet, with only 256 IPs, ranked 8th globally in malicious activity, highlighting its dominant role in phishing attacks.[3]

Figure 3: 2021 Phishing Market Rankings

(2)Web Application Attacks

Case: Globally, IP addresses of its hosting services frequently used for brute force attempts against WordPress and other websites have been reviewed by the Cloudflare security research team. Attacks are mainly focused on /wp-login.php and ‘/xmlrpc.php/xmlrpc.php pages, attempting to exploit known vulnerabilities to gain access and abuse IPDB.

Impact: These attacks disrupted the operations of small and medium-sized enterprises and personal websites across multiple countries, leading to data breaches and downtime.[7]

(3)Ransomware Propagation and Botnet Support

Case: Trend Micro’s global threat intelligence found its infrastructure closely associated with malware like Quakbot and Emotet. These are primarily ransomware used to infiltrate corporate networks and encrypt data for ransom.

Impact: In the first quarter of 2023, malicious traffic detections reached 200,000 instances, with 140,000 instances detected from Seychelles alone.[8]

(4)Association with Dark Web Markets

Case: Its services were used to support cryptocurrency scams in the dark web Hydra market, facilitating illegal transactions and money laundering. The infrastructure is also directly linked to notorious malware families like Redline Stealer and Agent Tesla.

Impact: These activities exacerbate threats to the global financial system, prompting multiple requests from Interpol for investigations into its operational network.[8]

5. Cyber Asset Data Analysis Association

5.1 Network Segment Overview

The network segment “185.215.113.0/24” is located in Russia and belongs to AS51381. A query of the WHOIS information for this network segment reveals that it is owned by “ELITETEAM” (1337TEAM LIMITED).

Figure 4: WHOIS Information Diagram for 185.215.113.0/24

Using the Virustotal platform to check the malicious status of IP addresses within this network segment, it was found that all 256 IP addresses are malicious. If we use the percentage of malicious IPs identified by Virustotal in a network segment as a standard for identifying bulletproof hosting networks, this result should be very indicative.

Through the ThreatFox platform, multiple IPs in this network segment were observed to be tagged with IOCs like “Amadey” and “RedLine” in 2024, as shown below.

Figure 5: ThreatFox Platform Tagging Diagram

Using the following search syntax on the ZoomEye platform to query the asset mapping data for this network segment, 1737 mapping entries involving 229 IP addresses were obtained. The detailed analysis of these mapping entries is provided below.

cidr=="185.215.113.0/24"

5.2 Open Ports

Observing the port distribution in the mapping data of this network segment, the main types include remote login ports (22/3389), web ports (80/443), FTP ports (21), email service ports (25/465/587/143/993/110/995), and C2 ports (7766).

From the 2024 mapping data of this network segment, it was found that 10 IP addresses have email service ports (25/465/587/143/993/110/995) open, suggesting that these 10 IP addresses are used for spam email services.

For the remaining IP addresses, no uniquely significant ports were discovered among those that are open.

5.3 SSL Certificate Subject Values

Using ZoomEye’s aggregate analysis function, the SSL certificate Subject values in the mapping data of this network segment were statistically analyzed, as shown in the following figure:

Figure 6: ZoomEye Aggregate Statistics Diagram

Searching individually for asset data corresponding to these Subject values, three scenarios were identified:

  1. Common Subject values, used by many IP assets on the internet.
  2. Unique Subject values, used only by IP assets in this network segment.
  3. Unique Subject values, used by a few other IP assets besides those in this network segment.

Most Subject values belong to the first two scenarios, with only one Subject value falling into the third scenario: “api.garageserviceoperation.com”. The SSL certificate Subject value “api.garageserviceoperation.com” is likely controlled and used by the same hacker group that controls the corresponding IP assets in this network segment. (Note: Virustotal platform query results indicate that garageserviceoperation.com is a malicious domain)

We searched for other network segment IP assets with the SSL certificate Subject value “api.garageserviceoperation.com” using the following query syntax, finding a total of 2 entries corresponding to IP addresses “185.208.158.114” and “185.208.158.115”. These two IP addresses will be analyzed in subsequent chapters.

ssl.cert.subject.cn="api.garageserviceoperation.com" && cidr!="185.215.113.0/24"

5.4 SSL Certificate Fingerprints

Using ZoomEye’s aggregate analysis function, the SSL certificate fingerprints in the mapping data of this network segment were statistically analyzed, as shown in the following figure:

Figure 7: ZoomEye Aggregate Statistics Diagram

Searching individually for asset data corresponding to these SSL certificate fingerprints, only the first fingerprint value “C416E381FAF98A7E6D5B5EC34F1774B728924BD8” was found to be unique and used by other network segment IPs.

We searched for other network segment IP assets with the SSL certificate fingerprint “C416E381FAF98A7E6D5B5EC34F1774B728924BD8” using the following query syntax, finding a total of 2 entries corresponding to IP addresses “185.208.158.114” and “185.208.158.115”, consistent with the two IP addresses identified in the previous section. These two IP addresses will be analyzed in subsequent chapters.

ssl.cert.fingerprint=="C416E381FAF98A7E6D5B5EC34F1774B728924BD8" && cidr!="185.215.113.0/24"

5.5 JARM Values

Using ZoomEye’s aggregate analysis function, the JARM values in the mapping data of this network segment were statistically analyzed. Searching individually for asset data corresponding to these JARM values, they were all found to be common JARM values.

5.6 Unique HTTP Content

Through the aggregation analysis function of ZoomEye, it was observed that there is a highly unique HTTP content in the mapping data of this network segment. The HTTP header contains only Server/Date/Content-Type/Connection fields, with the Server field being “nginx/1.18.0 (Ubuntu)” and the Connection field being either “keep-alive” or “close”; the HTTP body content consists solely of the string “none”.

Figure 8 ZoomEye Search Schematic Diagram

We used the following search query to find assets with similar characteristics and confirmed them one by one, obtaining three IP addresses with identical traits: “77.91.68.21”, “147.45.47.102”, and “109.107.182.45”.

http.header.status_code==200 && http.header="HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: " && (http.header="GMT Content-Type: text/html; charset=UTF-8 Connection: close" || http.header="GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive") && "none" && cidr!="185.215.113.0/24"

5.7 Network Segment Association Expansion

In the previous sections, based on the characteristics of SSL certificate fingerprints and Subject values, we associated and expanded to obtain two IP addresses “185.208.158.114” and “185.208.158.115”; based on the strong uniqueness of HTTP content features, we associated and expanded to obtain three IP addresses “77.91.68.21”, “147.45.47.102”, and “109.107.182.45”; these five IP addresses are suspected to be associated with the ELITETEAM bulletproof hosting network “185.215.113.0/24”.

Next, we examined the AS information of the network segments where these five associated expansion IP addresses reside and queried the malicious marking status of these network segment IP addresses on the Virustotal platform, as shown in the table below.

Table 2 Related Network Segment AS Information and VT Malicious Marking Information

Since AS198178, AS215789, and AS216024 have no association with the original network segment’s AS, we consider the probability of these three networks being bulletproof hosting networks to be low.

Based on the following reasons, we believe that the network segment “185.208.158.0/24” is a suspected bulletproof hosting network:

  • The AS organization of the network segment is located in Seychelles, just like the original network segment.
  • Based on the AS route import and export relationships of the network segments, this network segment has an association with the original network segment.
  • Two IP addresses in this network segment, along with six IP addresses from the original network segment, share SSL certificates with the same fingerprint; these eight IP asset mapping times fall between September 10, 2024 and November 7, 2024, indicating that during this period, these eight IP addresses were likely controlled by the same hacker group.
  • Using the Virustotal platform to query the malicious status of this network segment’s IP addresses, it was found that out of 256 IP addresses in the network segment, 95 were marked as malicious.

6. Conclusion

Based on the Redline C2 IP addresses published by the cybersecurity researcher “Fox_threatintel” in a tweet, we discovered that three of these IP addresses are located within a bulletproof hosting network.

Following this clue, we first briefly introduced bulletproof hosting services, describing the bulletproof hosting service provider ELITETEAM and the network crime activities of the network segment “185.215.113.0/24”.

Then, based on the ZoomEye cyberspace search engine, we analyzed the asset mapping data of the network segment “185.215.113.0/24”, and through open ports, SSL certificate Subject values, SSL certificate fingerprints, JARM values, and distinctive HTTP content, associated and expanded to identify the network segment “185.208.158.0/24” as a suspected bulletproof hosting network:

  • The AS organization of this network segment is located in Seychelles, just like the original network segment.
  • Based on the AS route import and export relationships of this network segment, it is associated with the original network segment.
  • Two IP addresses in this network segment, along with six IP addresses from the original network segment, share SSL certificates with the same fingerprint; these eight IP asset mapping times are between September 10, 2024 and November 7, 2024, indicating that during this period these eight IP addresses were likely controlled by the same hacker group.
  • Using the Virustotal platform to query the malicious status of this network segment’s IP addresses, it was found that out of 256 IP addresses in the network segment, 95 were marked as malicious.

7. Reference Links

[1] ZoomEye Cyberspace Search Engine
https://www.zoomeye.hk/v2/
[2] Reference Tweet
https://x.com/banthisguy9349/status/1850953224150192479
[3] ELITETEAM Bulletproof Hosting Service Provider Overview
https://www.team-cyru.com/post/seychelles-seychelles-on-the-c-2-shore
[4] Wikipedia for Bulletproof_hosting
https://en.wikipedia.org/wiki/Bulletproof_hosting
[5] Introduction to Bulletproof Hosting
https://www.sentinelone.com/cybersecurity-101/threat-intelligence/bulletproof-hosting/
[6] The Rebirth of the Bulletproof Hoster
https://krebsonsecurity.com/2016/08/the-reincarnation-of-a-bulletproof-hoster/
[7] Navigating the Maze of Magecart
https://blog.cloudflare.com/navigating-the-maze-of-magecart/
[8] International Police Cooperation + Trend Micro Fight Against African Cybercrime Networks
https://www.trendmicro.com/research/us/h3/2023/research-h3/african-cybercrime-networks.html

--

--

Knownsec 404 team
Knownsec 404 team

Written by Knownsec 404 team

404 Team, the core team from a well-known security company Knowsec in China. Twitter:@seebug_team Youtube: @404team knownsec Email:zoomeye@knownsec.com

No responses yet