Purpose Built Criminal Proxy Services and the Malicious Activity They Enable
Obfuscation of Malicious Behavior
It is both natural and expected that industries grow, evolve, and increase their sophistication, and cybercriminal activity is unfortunately no exception. As defender techniques change, so must a bad actor’s, and the services that support them become an important subject of consideration and understanding.
Whether it is “crypter” services that help obfuscate malicious code or so called “bulletproof” hosting services that allow actors to host their command-and-control (“C2”) infrastructure with the explicit benefit of not having it taken down, services catering to various criminal marketplaces’ needs have kept pace and chosen specialization in providing these services to a host of actors looking to conduct a broad gambit of criminal activities.
One specific and interesting market segment serves to support malicious actors and their need to hide or obfuscate the originating IP address from which the actor is conducting their operations, ideally using IP address space which would not raise the attention of the services or companies that they are looking to attack or defraud. This market segment, first known as “proxy networks” and now known generically as “proxy services”, allows actors to blend into what could be considered otherwise legitimate Internet traffic in an effort to evade detection. For the purposes of this article, we will focus on IPv4 addresses as those are still the majority of all addresses used and abused; the use of IPv6 addresses in proxy networks is beyond the scope of this post.
A Brief History of Proxy Networks
Historically, proxy networks were largely based on malicious code which an unwitting victim would be tricked into downloading on their computer. These families of malware would infect victims looking to enable a host of malicious activities, often creating networks of infected machines known as botnets. Once a computer user had been unknowingly conscripted, their computer would be used to infect other victims, but as importantly victim’s IP address would be used as an additional IP address to proxy malicious activity. This model was in place for many years, but its effectiveness was limited to the number of victims an actor could compromise and their ability to stay one step ahead of antivirus and other security products to maintain their hold on the victim.
One of the oldest, and now largely defunct proxy networks of this nature was VIP72, which is thought to have been created by the author of the Haxdoor malware strain. Once there was a critical mass of victim PCs, the proxy network was actively marketed as a “proxy service” in criminal forums and promoted by other criminals providing word of mouth endorsements of its reliability, geographic reach, and sheer number of IP addresses available through the service.
Evolving Proxy Tactics
As security industry companies increased focus on proxied IPs as a delivery vector and adversary tactic, growing networks by one IP at a time was not good enough. Once used and abused, these IP addresses will get noticed and blocked. Thus these services need a stream of new IP addresses over time. Malicious proxy services had to evolve their efforts to fraudulently commandeer a larger IP infrastructure more directly to continue and expand their services. Two new tactics involved fraudulently gaining access to new sources of IP address ranges, and in a couple of notable instances, having entire ASN blocks reassigned.
RESNET, a service that was promoted to criminal elements, used fraudulent tactics to gain access to IP address blocks from a host of mobile phone companies in the US by misrepresenting their use and the company requesting the ranges. This led RESNET in 2019 to controlling over 70,000 IP addresses, according to journalist Brian Krebs. Ultimately identified and dismantled by US law enforcement, RESNET originally offered access to so called “sneakerbots”, which allowed clients of the service to try and buy sought after sneaker and shoe brands in a competitive and lucrative market. Once the individual behind the service understood that there was a much broader market need they could address, they quickly pivoted to offering proxy services at large and continued to do so until it was ultimately shut down.
A second very prevalent and highly marketed service known as “INSORG” displayed even more aggressive tactics. By enumerating the IP address space and ASNs owned by companies that were in receivership, they were able to fraudulently reassign entire ranges by impersonating bankruptcy trustees and filing the appropriate paperwork with IP registries. In late 2020, INSORG was finally disrupted by international authorities in a coordinated effort by the Department of Justice and other law enforcement partners.
Given these continued disruption efforts in recent years, actors have continued to evolve and their new efforts have centered on IoT devices and routers to replace the more traditional PC-based vectors for their criminal proxy service activities.
Enter “Black Proxies”
As demand for malicious proxy services continues, new players have entered the market, especially those who look to bring a more business-like design to their service offerings. One notable service we want to highlight is “Black Proxies”. It is marketed to other actors by touting their reliability, scope, and overwhelming number of IP addresses. Their scale is significant given their focus on both the traditional forms of IP proxying and the use of compromised websites, as well as embracing these new methods of commandeering IP space for their elicit services.
Figure 1: Black Proxies homepage
As shown in Figure 1, Black Proxies market themselves as having over 1,000,000 residential and other proxy IP addresses “from all around the world”. The scope and scale of these new offerings shows just how large their claimed pool of IP space is.
Figure 2: The plan admin screen for Black Proxies
Upon further examination through the service, their pool of IP addresses listed in fall of 2022 “online” comes in at just over 180,000 IPs, which is still a factor larger than the traditional services based on other types of tactics and botnets. This is shown in their plan admin screen (Figure 2).
Figure 3: Black Proxies Advertising
Like other businesses that cater to the needs and demands of their client base, Black Proxies also markets feature sets and functions that would be of strong interest to the cyber criminal element, as highlighted in Figure 3, especially of note is the “Unblocked” feature of their IP addresses. The scale of these types of services was illustrated in a series of credential stuffing attacks in one week against US companies, where over 187,000 IP addresses were used to try and defraud institutions and their clients using the service.
During the course of research and analysis into Black Proxies-related IP infrastructure, one IP address, 139.180.165[.]197, became of particular interest. Reviewing historical pivots related to it, there were several domains hosted on this IP, including sniper[.]black, crimicorp[.]org (the domain used for one of the actor’s email addresses), and trappal[.]xyz, amongst others. These domains tie Black Proxies to the other services and offerings from the same actors, and all were registered through the same domain registry–leading to the actor believed to be running Black Proxies.
While the actor behind this service has been identified, that information has been redacted in the following excerpt. However, when engaged via social media they did not seem to hide the fact that their activities were clearly geared towards the cybercriminal element, and that their operation itself was criminal in nature (See Figure 4). As of the Fall of 2022, Black Proxies continues to operate and provide their service offerings.
Figure 4: A conversation with Black Proxies
Defending Against This
For defenders looking to protect their organizations and users from these types of proxy network services, the key is to focus on defense in depth, applying different detection methods to help identify anomalous and potentially malicious behavior. There are services that help record and report IP addresses for historical abuse as well as new security offerings that specialize in helping detect such types of proxy activity. These kinds of services and tools are important considerations to help organizations protect themselves from such potential malicious activity. In addition, domain name and IP risk scoring can also be a useful tool in identifying ASNs and IP addresses that have also played host to other malicious activity historically as an indicator that their reputation and pedigree may be worthy of further investigation.
Criminal proxy networks are now a mainstay in the cybercriminal world. Bad actors make use of them to obfuscate their activities by hiding behind hijacked IP addresses, providing a veil of legitimacy to mask their operations. These networks were once grown as part of the creation of botnets but the lucrative nature of these services have turned them into their own criminal enterprises.
Ultimately, in the cybercrime ecosystem, there are a host of specialized services designed to enable malicious activity. Understanding and awareness of these services and the effect they have on facilitating the efforts of other cybercriminals is important in helping to combat the scourge of a host of these types of activity.