Full Report
The cybercriminal uses the service of Proton66, an infamous Russian-based bulletproof hosting provider, to deploy malware
Analysis Summary
# Threat Actor: Coquettte
## Attribution & Identity
* **Identification:** A new, relatively low-skilled cyber threat actor.
* **Aliases:** Coquettte.
* **Known Associations:** Operates utilizing the services of Proton66, a Russian bulletproof hosting provider notorious for ignoring abuse complaints.
## Activity Summary
The primary activity identified is malware distribution, masked as legitimate software. Coquettte operates a fake cybersecurity product website, `cybersecureprotect[.]com`, hosted on Proton66, offering a supposed 'CyberSecure Pro' antivirus software. This website is used to distribute the Rugmi malware loader. Researchers gained visibility into the operation due to an Operational Security (OPSEC) failure by the actor, exposing a compressed Windows Installer file containing the malware dropper. Additionally, the actor is involved in the sale of guides for manufacturing illegal substances and weapons.
## Tactics, Techniques & Procedures
- **Malware Distribution through Deceptive Websites:** Hosting malicious payloads on sites masquerading as legitimate software vendors (e.g., cybersecurity).
- **Payload Delivery:** Distributing malware via a compressed Windows Installer (MSI/EXE structure likely).
- **Staged Infection Chain:** Downloading a second-stage payload after initial execution.
- **OPSEC Failure:** A lapse in operational security exposed key components of the infrastructure (web directory access).
## Targeting
* **Sectors:** Appears to target general computer users seeking security software, though the scope of the ultimate targets for the Rugmi malware is not fully detailed beyond initial infection vectors.
* **Geography:** Unknown, though infrastructure relies on a Russian BPH provider.
* **Victims:** Users attempting to download or install the fake 'CyberSecure Pro' software. No specific high-profile victim organizations were mentioned.
## Tools & Infrastructure
* **Malware Families Used:**
* Rugmi malware loader.
* A malware dropper contained within the Windows Installer.
* A second-stage payload delivered post-execution.
* **Infrastructure (C2, domains, IPs):**
* **Hosting Provider:** Proton66 (Russian Bulletproof Hosting).
* **Malicious Domains:**
* `cybersecureprotect[.]com` (Fake antivirus site)
* `cia[.]tf` (C2/Payload delivery)
* `quitarlosi[.]` (C2/Payload delivery)
## Implications
Coquettte represents a low-skilled threat actor effectively weaponizing readily available, often foreign-based, bulletproof hosting services to distribute commodity malware (Rugmi). The use of deceptive software marketing highlights a focus on users actively seeking security solutions, leveraging trust in reputable-sounding names. This activity demonstrates the ongoing challenge posed by BPH services in attribution and takedown efforts.
## Mitigations
- **Enhanced End-User Education:** Heightened skepticism regarding unsolicited security software offers, especially those downloaded from less reputable sources or via deceptive advertising.
- **Network Monitoring:** Monitor for beaconing or C2 traffic destined for newly observed or suspicious domains like `cia[.]tf` or `quitarlosi[.]`.
- **Application Control:** Implement strict application whitelisting or control policies to prevent the execution of unknown or unverified installers/MSI files.
- **Threat Intelligence Sharing:** Monitor BPH providers, such as Proton66, for concurrent activities leveraging their infrastructure.