Home Artifacts The Cogs of the Russian Trade Network

The Cogs of the Russian Trade Network

0

The Russian Business Network (RBN) claimed to be a legitimate Internet Service Provider (ISP) in 2006. Shortly after establishing its business, however, it gained notoriety for hosting spammer-owned sites, malware operators, distributed denial of service systems. (DDoS) and other cybercriminals.

Throughout its run, RBN’s fame claims include being labeled “the baddest of bad guys” by VeriSign. Spamhaus, meanwhile, named it “one of the worst spam, malware, phishing and cybercrime hosting networks in the world”, thus including several of its IP addresses in its blacklist. While RBN has apparently been silent for some time, our threat researchers are wondering if it has stopped.

Our in-depth examination of what remains of the RBN infrastructure revealed:

  • 21 unredacted email addresses used to register domains identified as Indicators of Compromise (IoC)
  • 45 IP addresses to which domains have been resolved
  • 399 domains possibly connected because they shared the email addresses or IP hosts of IoC registrants, four of which were labeled as “malicious” by various malware engines

A sample of additional artifacts obtained from our analysis is available for download on our website.

A look behind the curtain RBN

Over the years, the cybersecurity community has collected IoCs related to RBN, including these 26 domains:

  • spyware locked[.]com
  • virusprotectpro[.]business
  • Locked[.]com
  • virusprotectpro[.]com
  • techdownloads[.]org
  • srv4u[.]business
  • bulletproof service[.]com
  • abdulla[.]CC
  • tarahost[.]report
  • private forum[.]NC
  • vermin[.]com
  • vermin[.]report
  • pest controlpro[.]com
  • pest controlpro[.]report
  • keratomir[.]business
  • sigmadown[.]business
  • spy shot[.]business
  • spy shot[.]com
  • after sales service[.]business
  • marketglobe[.]report
  • Mglobe[.]report
  • mgrecruitment[.]report
  • gentlemen[.]bz
  • pest control[.]com
  • pest control[.]com
  • pest control[.]report

We used these web properties as starting points for our investigation.

A closer look at historical WHOIS records for the domains revealed 21 unredacted email addresses used to register IoCs.

DNS lookups for the IoCs led to the discovery of 45 IP addresses that they resolved to. These were spread across eight countries, led by the United States, Germany, China and the British Virgin Islands.

We then expanded the list of IoCs with possibly connected artifacts, specifically domains, that shared their registrant email addresses or IP hosts. According to IP geolocation data, according to a bulk WHOIS search, most possibly connected domains were registered in the United States, followed by the Czech Republic, China, and Germany. The rest were scattered across 10 other countries: Japan, Russia, Canada, Iceland, Taiwan, Thailand, Mexico, Panama, Turkey and the United Arab Emirates.

The bulk WHOIS search also showed that the majority of additional domains were created between 2015 and 2022.

Reverse WHOIS lookups and reverse IP lookups uncovered 399 domains that may have links to the RBN infrastructure. A mass check for malware on the Threat Intelligence Platform (TIP) showed that organizations should block access to four of them: ilo[.]Brenz[.]plant[.]trenz[.]please www[.]ipshougou[.]com and www[.]52cps[.]com.

Countermeasures

Organizations wishing to avoid the dangers posed by RBN-hosted web properties can block access to the malicious domains identified in this article, except for those already identified as IoC. Monitoring for malicious activity related to IP addresses that host IoCs would also be helpful. It is also advisable to keep a close eye on domains containing the names of anti-malware programs or any software that does not appear legitimate. Finally, it could also be useful to include web properties connected to the email addresses of identified owners in threat monitoring efforts.

If you would like to carry out a similar investigation or have access to the full data behind this research, please do not hesitate to contact us.