Snatch Ransom Group Exposes Visitor IP Addresses Krebs on Security

pThe victim shaming site operated by the Snatch ransomware group is leaking data about its true online location and internal operations as well as the Internet addresses of its visitors KrebsOnSecurity has found The leaked data suggest that Snatch is one of several ransomware groups using paid ads on Googlecom to trick people into installing malware disguised as popular free software such as Microsoft Teams Adobe Reader Mozilla Thunderbird and DiscordppFirst spotted in 2018 the Snatch ransomware group has published data stolen from hundreds of organizations that refused to pay a ransom demand Snatch publishes its stolen data at a website on the open Internet and that content is mirrored on the Snatch teams darknet site which is only reachable using the global anonymity network TorppThe victim shaming website for the Snatch ransomware gangppKrebsOnSecurity has learned that Snatchs darknet site exposes its server status page which includes information about the true Internet addresses of users accessing the websiteppRefreshing this page every few seconds shows that the Snatch darknet site generates a decent amount of traffic often attracting thousands of visitors each day But by far the most frequent repeat visitors are coming from Internet addresses in Russia that either currently host Snatchs clear web domain names or recently didppThe Snatch ransomware gangs victim shaming site on the darknet is leaking data about its visitors This server status page says that Snatchs website is on Central European Summer Time CEST and is powered by OpenSSL111f which is no longer supported by security updatesppProbably the most active Internet address accessing Snatchs darknet site is 19310811441 which is a server in Yekaterinburg Russia that hosts several Snatch domains including snatchteamtop sntech2chtop dwhyj2top and sn76930193chtop It could well be that this Internet address is showing up frequently because Snatchs clearweb site features a toggle button at the top that lets visitors switch over to accessing the site via TorppAnother Internet address that showed up frequently in the Snatch server status page was 194168175226 currently assigned to Matrix Telekom in Russia According to DomainToolscom this address also hosts or else recently hosted the usual coterie of Snatch domains as well as quite a few domains phishing known brands such as Amazon and CashappppThe Moscow Internet address 80666415 accessed the Snatch darknet site all day long and that address also housed the appropriate Snatch clearweb domains More interestingly that address is home to multiple recent domains that appear confusingly similar to known software companies including libreoff1cecom and wwwdiscordcomppThis is interesting because the phishing domains associated with the Snatch ransomware gang were all registered to the same Russian name Mihail Kolesnikov a name that is somewhat synonymous with recent phishing domains tied to malicious Google adsppKolesnikov could be a nod to a Russian general made famous during Boris Yeltsins reign Either way its clearly a pseudonym but there are some other commonalities among these domains that may provide insight into how Snatch and other ransomware groups are sourcing their victimsppDomainTools says there are more than 1300 current and former domain names registered to Mihail Kolesnikov between 2013 and July 2023 About half of the domains appear to be older websites advertising female escort services in major cities around the United States eg the nowdefunct pittsburghcitygirlscomppThe other half of the Kolesnikov websites are far more recent phishing domains mostly ending in top and app that appear designed to mimic the domains of major software companies including wwwcitrixtop wwwmicrosofteamstop wwwfortinettop ibreofficetop wwwdockertop wwwbasecamptop ccleanercdntop adobeusatop and wwwrealvnctopppIn August 2023 researchers with Trustwave Spiderlabs said they encountered domains registered to Mihail Kolesnikov being used to disseminate the Rilide information stealer trojanppBut it appears multiple crime groups may be using these domains to phish people and disseminate all kinds of informationstealing malware In February 2023 Spamhaus warned of a huge surge in malicious ads that were hijacking search results in Googlecom and being used to distribute at least five different families of information stealing trojans including AuroraStealer IcedIDBokbot Meta Stealer RedLine Stealer and VidarppFor example Spamhaus said victims of these malicious ads would search for Microsoft Teams in Googlecom and the search engine would often return a paid ad spoofing Microsoft or Microsoft Teams as the first result above all other results The malicious ad would include a logo for Microsoft and at first glance appear to be a safe and trusted place to download the Microsoft Teams clientppHowever anyone who clicked on the result was whisked away instead to mlcrosofteamsustop yet another malicious domain registered to Mr Kolesnikov And while visitors to this website may believe they are only downloading the Microsoft Teams client the installer file includes a copy of the IcedID malware which is really good at stealing passwords and authentication tokens from the victims web browserppImage SpamhausppThe founder of the Swiss antiabuse website abusech told Spamhaus it is likely that some cybercriminals have started to sell malvertising as a service on the dark web and that there is a great deal of demand for this serviceppIn other words someone appears to have built a very profitable business churning out and promoting new softwarethemed phishing domains and selling that as a service to other cybercriminals Or perhaps they are simply selling any stolen data and any corporate access to active and hungry ransomware group affiliatesppThe tip about the exposed server status page on the Snatch darkweb site came from htmalgae the same security researcher who alerted KrebsOnSecurity earlier this month that the darknet victim shaming site run by the 8Base ransomware gang was inadvertently left in development modeppThat oversight revealed not only the true Internet address of the hidden 8Base site in Russia naturally but also the identity of a programmer in Moldova who apparently helped to develop the 8Base codepphtmalgae said the idea of a ransomware groups victim shaming site leaking data that they did not intend to expose is deliciously ironicppThis is a criminal group that shames others for not protecting user data htmalgae said And here they are leaking their user datappAll of the malware mentioned in this story is designed to run on Microsoft Windows devices But Malwarebytes recently covered the emergence of a Macbased information stealer trojan called AtomicStealer that was being advertised through malicious Google ads and domains that were confusingly similar to software brandsppPlease be extra careful when you are searching online for popular software titles Cracked pirated copies of major software titles are a frequent source of infostealer infections as are these rogue ads masquerading as search results Make sure to doublecheck you are actually at the domain you believe youre visiting before you download and install anythingppStay tuned for Part II of this post which includes a closer look at the Snatch ransomware group and their founderppFurther readingppHTMalgaes list of the top Internet addresses seen accessing Snatchs darknet siteppArs Technica Until Further Notice Think Twice Before Using Google to Download SoftwareppBleeping Computer Hackers Abuse Google Ads to Spread Malware in Legit Softwarepp
This entry was posted on Wednesday 27th of September 2023 0748 AM
pp19310811441 server location Yekaterinburg Sverdlovsk Oblast Russia under AS9002 RETN Limited
193108114024
Listed under TOR Hosting and Bit TorrentppKeep up the great work you are doingppKeep up the great work you are doingppI looked at the further Reading except for the HTMalgae one to httpsrawgithubusercontentcom because
VirusTotal 1 security vendor flagged this URL as malicious ESTsecurity
urlscanio The submitted domain is on our blacklist we will not scan itppThat link is a safe one but in general httpsrawgithubusercontentcom links should be visited with EXTREME cautionppIts a real shame we cant crowdfund attacks on Russian serversppCertainly not ethical and I do not condone it However I think if the world allowed cybercrime against Russia the Russians would get their act together Its ridiculous they think they can allow their criminals to act with impunityppNobody wants to fall from a window or have elderly parents
detained in a labor camp indefinitely its not impunity quite
From nationalist corporatist perspectives its all deniable upside
China NK Iran Russia xyz why should they be any different
Everything in State nothing outside State nothing against State
It checks all their boxespphttpswwwtheregistercom20230916insanetspyware
is interesting and in a similar malvertsing approach It seems like it used to be malvertising was just being used to do scams but maybe it is growing into more malicious approachesppCan Google and alike stop accepting ads from this kind of organisations
Or by receiving their payments BTW through which channel can they be considered accomplicesppBest blog in my readingppsecurityweekcommozillawarnsoffakethunderbirddownloadsdeliveringransomwareppSecond that Thought for a moment is there anyone doing it better on such a broad range
None that Im aware of BKs up in every other cyber story these days it seems like
CyberGonzoppComments are closedppMailing ListppSearch KrebsOnSecurityppRecent PostsppStory CategoriesppWhy So Many Top Hackers Hail from Russiap