The Infrastructure Boss
by Dominic Alvieri
April 10th, 2024
What does a former Boris Yeltsin era Defense Minister for the Russian Federation have to do with cybercrime and ransomware today?
Since early 2023 I have been tracking a cybercrime infrastructure that now accounts for over 800 phishing websites pretending to be banks, software companies and cryptocurrencies deploying malware and dropping crypto stealers.
All of the 800+ phishing sites have two things in common. They are all registered with NiceNIC.NET and the WHOIS registrant organization is "Mihail Kolesnikov."
Several countries of origin are used including Belize and Belgrade. A few websites were also registered under the correct spelling of Mikhail with the vast majority registered as "Mihail."
Hunters International is the latest ransomware and data extortion group to join.
Several of the websites were deploying bumblebee malware along with various stealers. Redline stealer and new versions of Rilide and Fletchen stealers.
A quick look - Fletchen stealer features some of the same wide array of malicious activities as other stealers including credential theft, Wi-Fi login details, browser history and cookie retrieval along with several crypto clipper options.
Fletchen stealer is written in Rust with simple panel access and is easy to navigate but script kiddies beware, you need technical abilities to encrypt the stealer.exe file.
Hunters International registered their clearnet leak site with the registrant organization of Mihail Kolesnikov in January of this year.
Typosquatting Mikhail. |
"history",
"webRequests",
"tabs",
"clipboardWrite",
"clipboardRead",
"management",
"<all_urls>"
],
Former Rilide C2 domain /silent-scale.com
A full report will be out in the month or so detailing the Chinese registrations and Russian C2's associated with all of these "Mihail Kolesnikov" websites and malware.
Dominic Alvieri
X @AlvieriD