Finished Intelligence

King Servers

Summary

King Servers is a Russian hosting firm whose servers have been involved in numerous Russian criminal and Russian APT activities over the last few years. These activities include the compromise of the Arizona and Illinois SBOE (State Board of Elections) websites in 2016, and the use of King Server IP’s as C2’s for the newest Trickbot module. Wapack Labs also found that in February 2018, King Servers hosted the Emotet malicious email campaign involving denniscrawford2014[.]com.  This domain was previously owned by Democrat Dennis Crawford, a Nebraskan Congressional contender.

Background

King Servers is a Russian hosting firm run by Vladimir Fomenko from Biysk Siberia and is known for malicious activity including breaches into the State Board of Election websites in Illinois and Arizona in 2016[1].

 

 

 

 

 

 

 

 

King server’s website (king-servers[.]com) was registered in 2008, however the site says they have been in business since 2006. Vladimir Fomenko maintains he has nothing to do with any malicious activity involving his servers. In addition to a wide range of malicious criminal and APT activity, King Servers is home to hundreds of porn sites including many bestiality sites.

 

Traffic Redirection

King server IP’s are tied to EITest malware which is responsible for one of the longest-running malicious delivery campaigns[1]. Researchers believe the campaign related to King Servers is one of the most widespread and well-organized relying on EITest and traffic redirection to expose victims to exploit kits, Malvertising and Tech Support Scams. This infrastructure revolves around a Russian traffic monetization company (roi777[.]com) that uses fraudulent techniques to generate traffic, along with being leveraged for malware delivery and other scams.

 

This roi777 infrastructure sends victims who visit a compromised website to a site controlled by the attacker. Javascript in the compromised website reaches out to a URL like the following to determine the redirect domain.

  • roi777[.]com/domain.php

The URL will vary depending on the campaign returning different domains for different scams. One of the domains used during the writing of this report was terecuhu[.]tk, which redirects the victim to a Tech Support Scam landing page as seen below.

 

The domains used as landing pages for this TSS scam change over 100 times a day. In a one-month period researchers logged over 2,900 domains used for this one scam alone. It is estimated that 70 percent of the domains used by the roi777 infrastructure use King Server IP’s[1].

Trickbot

In October of 2018, the banking trojan Trickbot upgraded its encryption and added a new password-stealing module called “pwgrab”. A marked increase in Trickbot activity observed during this release prompted the National Cyber Security Center in the UK to issue an advisory to prepare for imminent attacks[2]. This recent campaign targets the US, UK, Germany, and India.

Wapack Labs analysts believes with medium confidence that Trickbot actors are Russian. Trickbot is the successor to the banking trojan Dyre, which was operated by another Russian crime group. Trickbot uses varying redirection and web injection techniques to obtain banking credentials. One of the ways Trickbot does this is by redirecting infected users to “Web fakes” that look identical to real banking sites to steal credentials. During the release of the newest password stealing Trickbot module over 30 % of the webfakes were hosted on King Server IP’s.

US Politics

In July of 2016, the SBOE (State Board of Elections) website in Illinois was compromised leading to over 76,000 residents being notified that their registration data was viewed by attackers[1]. In August of 2016, the FBI provides details on an attempted intrusion of the Arizona SBOE website[2]. Six of the eight IP’s responsible for these malicious intrusions belong to King Servers.

  • 104.11.154
  • 104.9.39
  • 155.30.75
  • 155.30.76
  • 155.30.80
  • 155.30.81

One of the other two IP’s used during this intrusion is hosted on the FortUnix infrastructure which targeted the Ukrainian power grid and DDoS’ed news media sites in 2015[3].

  • 149.249.172

This activity is consistent with Russian APT activity and may indicate that King Servers are being used both by Russian crime groups and Russian APT.

In February of 2018 a domain used by a Nebraskan democrat named Dennis Crawford when he was running for Congress in 2014, was re-registered and hosted on King Server IP (185.159.82.83).

  • denniscrawford2014[.]com

 

After being re-registered, the domain was used to send malicious emails containing Emotet to different targets including law firms, private security companies and shipping companies a few days later. The following companies are some of the ones targeted in these emails.

  • com
  • com
  • arcem-international.com
  • com
  • com
  • com
  • pru-ada.com
  • com
  • net
  • co.uk
  • eu.com
  • com
  • com
  • org
  • co.za
  • com

 

Dennis Crawford ran and lost again in 2018 a few months after his old site was re-registered and used to send malicious emails.

 

The malicious emails claim the Department of Finance shows an unpaid debt and the email is an attempt to collect. The amounts owed were different in each email and as little as 4 dollars in some cases. 

 

Conclusion

King Servers owner Vladimir Fomenko denies that he has anything to do with any malicious activity on his servers. The malicious activity includes malicious traffic distribution, banking trojans and the targeting of US political entities. Wapack Labs continues to monitor King Server IP’s for malicious activity to provide early warnings on Russian criminal and APT activity.

Previous Reporting:

TIR-18-331-001 Trickbot New Password Module

 

[1] https://www.chicagotribune.com/news/local/politics/ct-met-illinois-elections-board-russia-2016-election-hacking-20180808-story.html

[2] https://s.yimg.com/dh/ap/politics/images/boe_flash_aug_2016_final.pdf

[3] https://threatconnect.com/blog/state-board-election-rabbit-hole/

 

[1] https://malware.dontneedcoffee.com/hosted/anonymous/kotd.html

[2] https://www.ncsc.gov.uk/alerts/trickbot-banking-trojan

 

 

[1] https://malware.dontneedcoffee.com/hosted/anonymous/kotd.html

 

 

 

 

 

[1] https://www.nbcnews.com/news/us-news/russians-hacked-two-u-s-voter-databases-say-officials-n639551

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!

Join Red Sky Alliance