FOCUS MODE
EXTRACT IOC
Threat Research

Where to Find Aspiring Hackers – DomainTools Investigations | DTI

Securonix
Where to Find Aspiring Hackers – DomainTools Investigations | DTI
This research delves into the activities of Proton66, a bulletproof hosting network facilitating cybercrime, particularly focusing on the threat actor “Coquettte” and their associations with the Horrid hacking group. It highlights the operations of Coquettte, who utilizes Proton66 to spread malware and engage in various illicit activities, including the distribution of fake antivirus software. The analysis exposes a web of malicious domains and technological infrastructures, revealing the significance of Proton66 as a hub for amateur cybercriminals. Affected: Proton66, Coquettte, Horrid hacking group

Keypoints :

  • Proton66 is a Russian bulletproof hosting provider that allows cybercriminals to operate without consequence.
  • Coquettte is an emerging amateur threat actor leveraging Proton66 to distribute various forms of malware.
  • A fake website, cybersecureprotect[.]com, was discovered, which posed as legitimate antivirus software.
  • The investigation revealed Coquettte’s malware infrastructure, including a compressed file that contained malware droppers.
  • Coquettte’s operations extend to hosting e-commerce-related domains and other illicit content.
  • Proton66 supports less experienced hackers offering easy access to malware distribution.
  • The research reveals indicators of compromise (IOCs) useful for detecting related threats.
  • Coquettte is linked to a group called “Horrid,” highlighting a collective approach to cybercrime.

MITRE Techniques :

  • T1060 – Application Layer Protocol: Coquettte communicates with command and control servers like cia[.]tf and utilizes protocols to download additional payloads.
  • T1064 – Scripting: The malware uses configuration scripts and batch files to maintain persistence and execute additional payloads.
  • T1105 – Remote File Copy: The installation process includes downloading malicious files from remote servers.
  • T1204 – User Execution: The malware is disguised as legitimate software requiring user execution for infection.
  • T1497 – Virtualization/Sandbox Evasion: Coquettte employs obfuscation techniques to bypass security tools, aiding malware stealth.

Indicator of Compromise :

  • [Domain] cybersecureprotect[.]com
  • [Domain] cia[.]tf
  • [Domain] meth[.]to
  • [SHA-256] a07c9275d2628f6dee9271452a66683831d21367a63cdb61ade0fac55f3ed9ff
  • [SHA-256] 5558b04220e017f2a69fd88c575ec9450bde361049e42fd67501a0f89ba21834

Full Story: https://dti.domaintools.com/proton66-where-to-find-aspiring-hackers/

Views: 27

Tags: GOVERNMENT, LINUX, CREDENTIAL, TROJAN, DISCOVERY, PHISHING, CRYPTO, PAYLOAD