Introduction
The cyber threat actor known as Coquettte has been exploiting the services of Proton66 [1] [2], a Russian bulletproof hosting provider [1] [2], to distribute malware under the guise of legitimate software. This operation involves a fraudulent website and a sophisticated malware loader, posing significant risks to cybersecurity.
Description
A cyber threat actor known as Coquettte has been identified as leveraging the services of Proton66 [1] [2], a Russian bulletproof hosting provider [1] [2], to distribute malware disguised as legitimate software [1] [2]. Coquettte operates a fraudulent website [2], cybersecureprotect.com [1] [2], which falsely promotes a cybersecurity product called ‘CyberSecure Pro’ antivirus software but actually serves as a distribution point for the Rugmi malware loader [2]. Researchers discovered that the site contained a Windows Installer that [1] [2], upon execution [2], connects to hard-coded URLs [1] [2], cia.tf and quitarlosi [1] [2], to download additional malicious payloads and execute further harmful activities [2].
Rugmi is a modular malware loader utilized by cybercriminals to deploy various secondary payloads [1] [2], including infostealers [1] [2], trojans [1] [2], and ransomware [1] [2]. It has been linked to the distribution of several infostealers such as Vidar [1] [2], Raccoon Stealer V2 [1] [2], Lumma Stealer [1] [2], and Rescoms [1] [2]. Coquettte uses Proton66’s infrastructure to host its command and control (C2) server on the cia.tf domain [1] [2], which is registered with an email address associated with Coquettte [1] [2]. This connection confirms Coquettte’s control over both the malware distribution site and the C2 server [1] [2], facilitating the execution of malware payloads [1].
Conclusion
The activities of Coquettte underscore the persistent threat posed by cybercriminals leveraging bulletproof hosting services to distribute malware. Organizations must remain vigilant, employing robust cybersecurity measures to detect and mitigate such threats. Future implications include the potential for increased sophistication in malware distribution tactics, necessitating ongoing research and adaptation in cybersecurity strategies.
References
[1] https://ciso2ciso.com/amateur-hacker-leverages-russian-bulletproof-hosting-server-to-spread-malware-source-www-infosecurity-magazine-com/
[2] https://www.infosecurity-magazine.com/news/coquettte-hacker-malware-bph/
