An amateur hacker’s operational security error enabled researchers to uncover more details about a cybercrime operation utilizing the Proton66 bulletproof hosting service, DomainTools reported Thursday.
The threat actor known as “Coquettte” was uncovered by DomainTools while investigating domains hosted by Proton66. Proton66 offers bulletproof hosting, a service that provides infrastructure for cybercriminals while ignoring requests from law enforcement, ensuring malicious domains are not taken down or seized.
Coquettte was found to be running a website at the URL cybersecureprotect[.]com, which purported to offer antivirus software but in reality disturbed malware. Researchers discovered that the site’s web directory was publicly accessible, revealing the malicious files and details about the threat actor and their connections.
The malware distributed through the fake cybersecurity website was the Rugmi malware loader, which can later be used to install additional payloads from the threat actor’s command-and-control (C2) server. One of the C2 domains the loader connected to was registered to an email address hosted at coquette[.]com.
This website revealed the hacker to be an 18-year-old software engineer and computer science student, according to a message previously displayed on the site, and revealed further ties to an additional site meth[.]to, which contained information about manufacturing methamphetamine, explosives and other weapons.
The researchers found additional links between Coquettte’s infrastructure and the domain of a hacking collective called “Horrid.” The website for Horrid contained links to meth[.]to and similar cybercrime-related sites, seemingly serving as an “incubator” and “launchpad” for aspiring and amateur cybercriminals like Coquettte, the DomainTools researchers said.
“While the individual threat actor ‘Coquettte’ may be relatively amateur, the malware they deploy (stealers, keyloggers, etc.) can do serious damage if successful,” the researchers noted.
DomainTools noted that bulletproof hosting services like Proton66, accessible malware toolkits and amateur hacking communities lower the bar to entry for threat actors, and urged organizations to stay aware of activity from Proton66 and its users. Indicators of compromise (IoCs) revealed in the investigation were provided on DomainTools’ GitHub.
International law enforcement agencies recently cracked down on another bulletproof hosting service known as Zservers earlier this year, with Dutch police dismantling its infrastructure and authorities from the United States, United Kingdom and Australia sanctioning individuals affiliated with the service.
Zservers reportedly provided its services to members of the LockBit, REvil and Conti ransomware gangs, facilitating several high-profile cyberattacks and the use of malicious botnets.
Rugmi, the malware loader used by Coquettte, has been used in the past to spread various infostealers including Vidar, Racoon Stealer V2, LummaC2 and Rescoms, according to ESET.
