A sprawling network that’s seemingly maintained to serve (illegal) online gambling opportunities and deliver malware to Indonesian citizens is likely also being used to provide threat actors command and control (C2) and anonymity services.
“The infrastructure has been active for at least 14 years and currently spans 328,039 domains: 236,433 purchased domains, 90,125 hacked websites, and 1,481 hijacked subdomains, including subdomains of government websites,” says Kobi Ben Naim, CEO and Head of Research at Malanta.
The company also discovered thousands of malicious Android applications; 38 GitHub accounts hosting web-shells, templates, and staging artifacts; and 500+ domain lookalikes masquerading as popular organizations (possibly for future credential harvesting) – all of which can be tied to the same long-standing operation, Malanta researchers claim.
The operation’s elements (Source: Malanta)
An operation that evolved over many years
Back in 2011, the operation began with facilitating gambling activity but, as the years passed, it evolved and started incorporating SEO manipulation, mobile malware distribution, website hacking, domain and subdomain hijacking, data theft, and more.
The group uses social media and instant messaging platforms is to advertise the gambling sites and push users to install fake or semi‑functional gambling Android apps (hosted on AWS S3 buckets).
“The user sees a gambling interface, but under the hood the apps can download more code, access device storage, and talk to command‑and‑control servers,” Ben Naim told Help Net Security.
Trusted domains and subdomains are hijacked and weaponized through systematic and widespread exploitation of WordPress and PHP components, dangling DNS and expried cloud resources, unclaimed CNAMEs, and expired certificates.
The hacked subdomain operation spans enterprises and government entities.
“On some hijacked subdomains, they simply put a fake shopping or gambling content that’s made to look like a popular website (e.g., eBay, Lazada, or Envato). On the more sensitive ones – especially government and large enterprises – they deploy NGINX‑based reverse proxies that terminate HTTPS on the real government [Fully Qualified Domain Name] and then quietly decrypt and forward traffic to attacker‑controlled servers,” he shared.
“To security tools, this looks like normal encrypted traffic to a legitimate government domain, which makes it extremely difficult to distinguish from regular citizen or employee activity.”
He also noted that, in some setups, a domain’s subdomains share the same login session cookie for convenience, which means that a single hijacked subdomain can give attackers direct access to live sessions, effectively bypassing passwords and MFA.
“Advanced persistent threat”
The blend of the cybercrime component with the advanced tradecraft, as well as the longevity, scale and cost of the operation, point to a group that has achieved a level of operational maturity beyond that of most financially motivated crews, Malanta researchers opined.
“Maintaining that kind of footprint – domains, certificates, hosting, malware development, social media promotion, and ongoing exploitation – costs hundreds of thousands to several million USD per year, based on our cost modeling,” Ben Naim pointed out.
The illegal gambling could be both a revenue stream and a cover. “The TLS‑terminating reverse proxies on hijacked government FQDNs are perfectly suited as covert relays: traffic looks like it’s going to a government site, but is actually carrying C2 instructions or exfiltrated data,” he added.
The company believes it likely that this threat group is Indonesian or, at least, to have some Indonesian speaking operatives.
While the group could be classified as an advanced persistent threat, there’s currently no evidence pointing to it being backed by a specific government entity, Ben Naim told Help Net Security.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!