From North Korean Phishing to Underground Online Hosting Services

From North Korean Phishing to Underground Online Hosting Services

From North Korean Phishing to Underground Online Hosting Services

Executive Summary

During CYFIRMA’s routine research on advanced persistent threat actors (APT) activity, we observed North Korean actors using a malicious domain registrar used in a wide range of online scams and cybercrime. Furthermore, this registrar is linked to a web of offshore companies that through their CEO leads to a hosting provider in Bulgaria. Our initial hypothesis was that DPRK itself could be behind this as they are infamous for such operations. But we did not find such evidence. Instead, we documented what appears to be an underground online hosting services network hidden in plain sight.

Introduction

While exploring the recent activity of ATP37 and the suspected “Konni campaign” we observed a repeatedly used set of domains hosted at the same Bulgarian IP range 185.176.43.0/24. It turned out that some of those are free domain hosting services provided by one company – AttractSoft GmbH & Zetta Hosting Solutions Alliance (AS44476), which also provides a range of paid hosting on the same IP range.

Following the breadcrumbs, CYFIRMA research team discovered that behind the legitimate front of AttractSoft lies another, undisclosed and obfuscated, set of hosting services, and most importantly its own domain registrar company used for a variety of online scams and illegal content, including underage adult content.

If the same entity owns a domain registrar, hosting and server provider, there is virtually nobody to enforce any kind of content policy, allowing unrestricted hosting of illegal content and facilitating criminal activity.

Moreover, as we explore in this report, these services are being abused by malicious actors and offer generous affiliate programs with a scheme for a virtually infinite money-making glitch. Concerningly, we eventually uncovered a decade-long history of offshore companies behind said hosting services. The trail leads to the British Virgin Islands, Seychelles, Dominica and Cyprus and a legitimate front is in Bulgaria.

Analysis

North Korean Konni Campaign

Since the beginning of 2022 CYFIRMA and 3rd party researchers alike have been observing a few of the same domains below repeatedly used in Konni Campaigns by suspected APT37 from North Korea.

*.c1[.]biz
*.atwebpages[.]com
*.medianewsonline[.]com
*.sportsontheweb[.]net

CYFIRMA research team took the opportunity to try to trace this suspected APT37. We quickly found that AttractSoft GmbH & Zetta Hosting Solutions Alliance is as part of their business model offering free domain hosting service through Atspace[.]com and Webfreehosting[.]net platforms which include 3 out of 4 above-mentioned domains.

Threat Actors abusing free online services are news as old as the internet itself. Normally we would end the tracing effort there.

But C1.BIZ domain remained a mystery. It was not available on any of AttractSoft services, yet it was hosted on the exact same IP range of Zetta Host.

Danesco Trading LTD

While checking the Whois record of C1.BIZ domain we spotted an unfamiliar domain registrar. Danesco Trading LTD – based in Cyprus, with no listed abuse contact and with a suspiciously basic-looking pair of websites.

Raw Whois snippet (redacted for clarity)
Domain Name: c1.biz
Registry Domain ID: D33968446-BIZ
Registrar WHOIS Server: whois.www.evonames.com
Registrar URL:www.evonames.com
Updated Date: 2022-09-13T00:00:44Z
Creation Date: 2009-10-08T20:53:14Z
Registry Expiry Date: 2023-10-07T23:59:59Z Registrar: Danesco Trading Ltd.
Registrar IANA ID: 1418
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone:

Registry Registrant ID: REDACTED FOR PRIVACY Registrant Name: REDACTED FOR PRIVACY Registrant Organization: DANESCO TRADING LTD. Registrant Street: REDACTED FOR PRIVACY

Registrant State/Province:
Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: CY
Registrant Phone: REDACTED FOR PRIVACY

Name Server: ns1.biz.nf Name Server: ns2.biz.nf DNSSEC: unsigned

A quick lookup of the company in the Cyprus registry1 showed Company’s Director and Secretary names as well as its office address. At the same time, showed other companies related to the same Secretary.

Office Address web search showed even more companies registered with the exact same office, sparking the hypothesis of an offshore company. The final nail in the proverbial coffin was its mention in the offshore leaks database2 by the International Consortium of Investigative Journalists (ICIJ). As per ICIJ website itself, being an offshore company is not inherently illegal or malicious, but further context we will discuss strongly indicates Danesco Trading LTD’s sole purpose is to hide or obfuscate nefarious activity.

Further searching for some other domains registered by DANESCO TRADING LTD uncovered a high volume of scam websites offering dogs and cat breeds as well as a long list of suspicious and likely scam adult domains, including typosquatting of legitimate adult sites and most concerningly many suggesting underage content.

Following the rabbit hole

Finding a suspicious offshore domain registrar was unexpected, but we haven’t yet found who actually owns and operates C1.BIZ domain used frequently by North Koreans. At this stage, our hypothesis was that this could be North Koreans themselves running an offshore company to serve their cyber activity needs. That hypothesis didn’t hold up as we will discuss.

In the above Whois record, we can see name servers ns1.biz.nf and ns2.biz.nf. So naturally, we went to take a look at BIZ.NF website. And from here our research turned into an unexpected rabbit hole suggesting organised criminal activity.

BIZ.NF

At first glance BIZ.NF page looks like another small-scale online hosting provider with free domain hosting at C1.BIZ domain. But at a closer look, there is an “earn money” page with a very generous-looking affiliate program. In fact, so good, that it does not add up.

Affiliates can earn 10 cents for free signups at C1.BIZ, which on its own raises eyebrows. There is a virtually infinite number of free signups anyone can generate with just a little bit of effort to abuse this service to get solid payouts, assuming this service is legitimate. The other scenario is a money laundering scheme, where the “abuser” of this generous affiliate program is the same or friendly party.

NOTE: AttractSoft is also offering 10 cents for free signup on their free domain hosting platforms. However, they are a legitimate business subjected to auditing and if needed have other sources of revenue to subside this as a marketing expense to attract business into their portfolio of services.

There is $60, $110 and $125 payout for actual sales. Let’s look at the pricing of Unlimited Web Hosting.

First-year promotion runs for $6.95 a month = $83.4 for a year paid in advance. Without promotion, it is $10.95 a month = $131.4 for a year paid in advance.

To be fair, they do offer VPS hosting as well, with pricing that is a lot more reasonable at $12.95, $22.65 and $42.95 per month. However, it is their least advertised product and the abuse potential of the previous two is clear enough.

Such scheme immediately raised a money laundering red flag. One of the usual signs of online money laundering is the absence of any direct ownership. So, we have scanned the website and did not find any contacts to official registered businesses or persons.

Even worse, doing Whois record check on BIZ.NF domain showed another offshore company “WEB10 Solutions Inc.” this time registered in Seychelles. Though using well-known and legitimate EU registrar Key-systems.

Raw Whois snippet (redacted for clarity)
Domain Name: biz.nf
Registry Domain ID: 95429-CoCCA
Registry WHOIS Server: whois.coccaregistry.org
Registrar URL: http://www.key-systems.net
Updated Date: 2022-06-02T22:50:33.696Z
Creation Date: 2007-05-12T18:39:08.698Z
Registry Expiry Date: 2023-05-12T18:39:08.596Z
Registrar Registration Expiration Date: 2023-05-12T18:39:08.596Z Registrar: Key-Systems GmbH
Registrar IANA ID: 269

Registry Registrant ID: hblTb-DgdWA
Registrant Name: Redacted | EU Registrar
Registrant Organization: WEB10 SOLUTIONS INC Registrant Street: Suite 3
Registrant Street: 1st Floor
Registrant Street: La Ciotat Building, Hermitage Rd Registrant City: Mont Fleuri
Registrant State/Province: Mahe
Registrant Country: SC
Registrant Phone: Redacted | EU Registrar

WEB10 Solutions Inc.

When searching for more information about WEB10 Solution Inc. we had very limited luck but kept seeing WEB5 Solutions Inc. in relevant results. Ultimately, we found out that web10solutions[.]com is being redirected to www[.]web5solutions[.]com and are likely the same entity. Especially when we found WEB5 Solutions Inc. was registered as yet another offshore company, this time on the Caribbean Island of Dominica.

WEB5 Solutions Inc Whois snippet with address:
Admin Name: DNS Admin
Admin Organization: WEB5 SOLUTIONS INC.
Admin Street: 8 Copthall
Admin City: Roseau Valley
Admin State/Province:
Admin Postal Code: 00152
Admin Country: DM

Then we looked for Whois records related to either WEB10 or WEB5 Solutions Inc and found multiple BIZ.NF copycat websites offering online hosting services. Also being hosted at Zetta Host on the same Bulgarian IP range.

Summary of affiliate programmes:

Evidence linking it all together

As established, all these websites look nearly identical and are linked through WEB10 and WEB5 Solutions Inc. in their respective domain Whois records.

Before we list relevant snippets from historic Whois record to connect the dots. We need to mention one more offshore company – “Oxwell Consolidated Corp.” 3 registered at British Virgin Islands.

Oxwell Consolidated Corp. Whois snippet with address:
“city”: “Road Town”,
“country”: “Virgin Islands (british)”,
“email”: “[email protected]”,
“name”: “DNS Admin”,
“organization”: “OXWELL CONSOLIDATED CORP.”,
“state”: “Tortola”,
“street1”: “PO Box 3321|Drake Chambers”,
“telephone”: “442031299000”,
“type”: “administrativeContact”

Based on our domain research and available historic Whois records Oxwell CC is the oldest organization linking all the discovered domains and relevant hosting services together.

For illustration, below is a Maltego chart where we documented relationships between all entities. Dashed red lines are the conclusive links going full circle.

The best example to show the history of domain ownership is BIZ.NF

Note: history was compiled from multiple sources for cross-reference validation, hence various formats as we like to keep sources in their original forms.

Current
Registrant Organization: WEB10 SOLUTIONS INC
Registrant Street: Suite 3
Registrant Street: 1st Floor
Registrant Street: La Ciotat Building, Hermitage Rd
Registrant City: Mont Fleuri
Registrant State/Province: Mahe
Registrant Country: SC

Previous
Registrant Organization: WEB5 SOLUTIONS INC.
Registrant Street: 8 Copthall
Registrant City: Roseau Valley
Registrant State/Province:
Registrant Postal Code: 00152
Registrant Country: DM
Registrant Phone: +44.2031293000
Registrant Phone Ext:
Registrant Email: [email protected]

Oldest
“city”: “Road Town”,
“country”: “Virgin Islands (british)”,
“email”: “[email protected]”,
“name”: “DNS Admin”,
“organization”: “OXWELL CONSOLIDATED CORP.”,
“state”: “Tortola”,
“street1”: “PO Box 3321|Drake Chambers”,
“telephone”: “442031299000”,
“type”: “registrant”

A notable and important link here is the carry-over of Oxwell.cc domain in the registrant’s email. Also interesting is a very clear attempt to progressively increase obfuscations as Whois records are increasingly more redacted and limited as time goes.

All domains where business websites are sitting – BIZ.NF, BIZ.LY, BIZ.HT and Freehostingeu.com follow more or less the same ownership record.

Similar domain registrant history applies to domains on which the free hosting is served – C1.BIZ, EU3.ORG, EU3.BIZ, EU5.NET and ME.HT. Though some were in hands of unrelated entities for a long time before being abandoned and/or sold to the related history of current owners.

In the case of these domains, there is also a traceable history of domain registrars. Currently, they are all registered by Danesco Trading LTD, but older records show “EvoPlus Ltd.” While the registrant was WEB5 Solutions Inc. This explains why even today Danesco Trading LTD has listed www[.]evonames[.]com as their website in recent Whois records.

C1.BIZ Whois history records

Current
Registrar WHOIS Server: whois.danesconames.com
Registrar URL: www.evonames.com
Updated Date: 2022-09-13T00:00:44Z
Creation Date: 2009-10-08T20:53:14Z
Registry Expiry Date: 2023-10-07T23:59:59Z
Registrar: Danesco Trading Ltd.
Registrar IANA ID: 1418

Registry Registrant ID: REDACTED FOR PRIVACY
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: DANESCO TRADING LTD.
Registrant Street: REDACTED FOR PRIVACY
Registrant City: REDACTED FOR PRIVACY
Registrant State/Province:
Registrant Postal Code: REDACTED FOR PRIVACY
Registrant Country: CY

Previous
Whois Server: whois.danesconames.com
Registrar Name: Danesco Trading Ltd.

Registrant Contact:
Name: REDACTED FOR PRIVACY
Organization: WEB5 SOLUTIONS INC.
Street: REDACTED FOR PRIVACY
City: REDACTED FOR PRIVACY
Country: DOMINICA
Postal Code: REDACTED FOR PRIVACY

Oldest
“city”: “Roseau Valley”,
“country”: “Dominica”,
“email”: “[email protected]”,
“name”: “DNS Admin”,
“organization”: “WEB5 SOLUTIONS INC.”,
“postalCode”: “00152”,
“street1”: “8 Copthall”,
“telephone”: “+44.2031293000”,
“type”: “registrant”

“full_domain”: “c1.biz”,
“gtld”: true,
“nameServers”: [
“ns1.freehostingeu.com”,
“ns2.freehostingeu.com”

“private registration”: false, ”
“registrarname”: “EvoPlus Ltd.”

Another piece of evidence linking all these sites together is the name servers in the oldest Whois record of C1.BIZ. It used to sit on a copycat of BIZ.NF – Freehostingeu.com.

Circling back to AttractSoft GmbH

While digging through available historic records and browsing the portfolio of AttractSoft GmbH, it became more and more evident, that these offshore companies providing “untraceable” online hosting services are way too similar to AttractSoft legitimate services.

The only thing that was missing to connect the two was concrete evidence rather than just a bunch of similarities and being hosted on the same IP range. That concrete evidence also came from historic Whois records. Specifically, name “Dimitar Dimitrov” – Co-Founder and CEO of AttractSoft GmbH & Zetta Hosting Solutions Alliance 4.

More specifically from the oldest Whois record of BIZ.NF and BIZ.HT domains where their respective businesses were using “supportindeed.com” emails.

Oldest Whois record of BIZ.NF and BIZ.HT

Historic Whois record of supportindeed.com

Apart from clearly stating the name as registrant of supportindeed.com, another piece of indirect evidence is the city of Kiel in Germany. That is where AttractSoft GmbH & Zetta Hosting Solutions HQ is and where Dimitar Dimitrov went to University. He also founded “Atspace.com” which appears to be a heavy inspiration of BIZ.NF etc. for their affiliates program.

If that wasn’t enough, we have found one more free domain hosting website claiming affiliation to AttractSoft GmbH and which was virtually 1:1 copy of the previously discovered site BIZ.HT

Upon inspection of royalwebhosting.net we have found another conclusive link between BIZ.HT and AttractSoft, which was hiding in plain sight. It appears that during the copying of the design and content, they forgot to delete the “About us” page and its proud association with AttractSoft. Given the lengths owners of BIZ.HT went through to hide their identities in Whois records using offshore companies, this does look like a genuine oversight.

Summary of evidence

AttractSoft GmbH & Zetta Hosting Solutions Alliance is an online hosting provider with HQ in Kiel, Germany and Sofia, Bulgaria.

  • Zetta Hosting is providing a shared hosting service Bulgarian IP range 185.176.43.0/24.
  • AttractSoft GmbH offers multiple free domain hosting platforms, most notably for this story Atspace.com, Webfreehosting.net and Royalwebhosting.net.
    • Atspace.com offers free domains at *.atspace.com, *.atspace.cc and *.atspace.eu.
    • Webfreehosting.net offers free domains at *.atwebpages.com, *.sportsontheweb.com and *.medianewsonline.com.
    • Royalwebhosting.net offers free domain hosting at *.royalwebhosting.net.

Danesco Trading LTD is a domain registrar with IANA ID: 1418. Is responsible for a large volume of suspicious and scam domains. It is also a registrar of suspicious free domain hosting domains c1.biz, eu3.org, eu3.org, eu5.net and ht.me.

  • Danesco Trading LTD is registered at a known offshore address in Cyprus
  • EvoPlus Ltd. Is its known predecessor in Whois records.

Oxwell Consolidated Corp is the original offshore business and formerly the domain registrar responsible for the registration of BIZ.HT and registrant of BIZ.NF, BIZ.LY and Freehostingeu.com.

  • Oxwell Consolidated Corp was registered at an offshore address on the British Virgin Islands
  • WEB5 Solutions Inc is a known descendant of Oxwell CC

WEB5 Solutions Inc is another offshore company, that eventually took over the ownership of Oxwell CC domains, presumably to further obfuscate the trail and remove any direct links to AttractSoft.

  • WEB5 Solutions Inc was registered at an offshore address on the Caribbean Island of Dominica
  • WEB5 Solutions Inc used EvoPlus Ltd and later Danesco Trading LTD as a domain registrar.
  • WEB10 Solutions Inc is a known descendant of WEB5 Solutions Inc.

WEB10 Solutions Inc is another offshore company, that eventually took over the ownership of WEB5-owned domains. Once again, there was increased redaction and effort to remain even more private and removed from AttractSoft.

  • WEB10 Solutions Inc was registered as an offshore address in Seychelles.
  • WEB10 Solutions Inc used Danesco Trading LTD as the domain registrar.

Dimitar Dimitrov is the Co-founder and CEO of AttractSoft GmbH & Zetta Hosting Solutions Alliance and founder of Atspace.com free hosting.

  • Dimitar Dimitrov is listed in historic Whois records through supportindeed.com under BIZ.NF and BIZ.HT.

Kiel, Germany is the address of both AttractSoft GmbH & Zetta Hosting Solutions Alliance and supportindeed.com. As well as the city where Dimitar Dimitrov went to university.

BIZ.HT, BIZ.NF, BIZ.LY, Freehostingeu.com and Owxell.cc all share the same web design, Whois and domain ownership history.

  • All domains, including respective free hosting subdomains, are hosted by Zetta Hosting on their Bulgarian IP range 185.176.43.0/24.

Conclusion

We do not have direct evidence of specific persons or companies conducting any illegal activity. But this kind of structure of online hosting services obfuscated through multiple offshore shell companies is abnormal. Furthermore, it allows for unchecked hosting of illegal or malicious content.

From CTI perspective key takeaway here is that DANESCO TRADING LTD is a domain registrar used seemingly exclusively for illegal and malicious content and we advise blacklisting it in your environment.