Malicious Use of Virtual Machine Infrastructure
Summary:
The Sophos Counter Threat Unit (CTU) has identified a critical trend where Bulletproof Hosting (BPH) providers are leveraging legitimate ISPsystem VMmanager infrastructure to mass-provision virtual machines for cybercriminal operations. To validate their hypothesis that the hostnames were static artifacts of the ISPsystem software rather than actor-created, the researchers executed an active defense operation. They procured a virtual server from play2go[.]cloud (a provider known to use VMmanager) and deployed a standard Windows VM. The newly provisioned server automatically generated the hostname WIN-J9D866ESIJ2, confirming that the IOC is inherent to the template, not the user, providing a reproducible method for researchers. This industrial-scale abuse relies on default Windows Server templates that generate static, repetitive NetBIOS hostnames, allowing researchers to map over 20,000 malicious hosts to specific providers.
The infrastructure is heavily concentrated in Russia and is dominated by providers such as Stark Industries Solutions Ltd, First Server Limited, and MasterRDP (operating as rdp.monster). These servers function as a "safe haven" for high-profile ransomware gangs, state-sponsored actors, and commodity malware campaigns, shielding them from traditional takedown efforts. The report specifies that the WIN-LIVFRVQFMKO infrastructure was used in July 2023, specifically to target organizations in Italy with the Ursnif trojan. Sophos attributed this activity to the "Bentley" actor specifically because of the "ContiLeaks" (February 2022), where the static hostname appeared in exposed Jabber chat logs.
Security Officer Comments:
Weaponization of pre-configured ISPsystem VMmanager templates: These templates embed static artifacts, specifically NetBIOS hostnames, that persist across deployments, serving as helpful indicators.
Suggested Corrections:
To defend against this specific threat landscape, organizations should adopt the following strategies:
https://www.sophos.com/en-us/blog/malicious-use-of-virtual-machine-infrastructure
The Sophos Counter Threat Unit (CTU) has identified a critical trend where Bulletproof Hosting (BPH) providers are leveraging legitimate ISPsystem VMmanager infrastructure to mass-provision virtual machines for cybercriminal operations. To validate their hypothesis that the hostnames were static artifacts of the ISPsystem software rather than actor-created, the researchers executed an active defense operation. They procured a virtual server from play2go[.]cloud (a provider known to use VMmanager) and deployed a standard Windows VM. The newly provisioned server automatically generated the hostname WIN-J9D866ESIJ2, confirming that the IOC is inherent to the template, not the user, providing a reproducible method for researchers. This industrial-scale abuse relies on default Windows Server templates that generate static, repetitive NetBIOS hostnames, allowing researchers to map over 20,000 malicious hosts to specific providers.
The infrastructure is heavily concentrated in Russia and is dominated by providers such as Stark Industries Solutions Ltd, First Server Limited, and MasterRDP (operating as rdp.monster). These servers function as a "safe haven" for high-profile ransomware gangs, state-sponsored actors, and commodity malware campaigns, shielding them from traditional takedown efforts. The report specifies that the WIN-LIVFRVQFMKO infrastructure was used in July 2023, specifically to target organizations in Italy with the Ursnif trojan. Sophos attributed this activity to the "Bentley" actor specifically because of the "ContiLeaks" (February 2022), where the static hostname appeared in exposed Jabber chat logs.
Security Officer Comments:
Weaponization of pre-configured ISPsystem VMmanager templates: These templates embed static artifacts, specifically NetBIOS hostnames, that persist across deployments, serving as helpful indicators.
- The research identified specific hostnames used broadly across this infrastructure:
- WIN-LIVFRVQFMKO (~7,900 hosts): Linked to LockBit, Conti, Qilin, BlackCat (ALPHV), and the exploitation of a FortiClient EMS vulnerability.
- WIN-BS656MOF35Q (~7,800 hosts): Associated with ClickFix social engineering campaigns and stealer malware like Lumma and PureRAT.
- WIN-344VU98D3RU (~7,400 hosts): Linked to TrickBot, RagnarLocker, and RedLine infostealer.
- WIN-J9D866ESIJ2 (~3,600 hosts): Specifically observed in WantToCry ransomware attacks and NetSupport RAT distribution.
- The ecosystem is supported by Russia or CIS-based providers, including Stark Industries Solutions Ltd (sanctioned by the EU), First Server Limited (linked to the Doppelganger disinformation campaign), Zomro B.V., and MasterRDP (rdp.monster), which retails these services directly on underground forums.
- The infrastructure is predominantly physically located in Russia, with smaller footprints in Germany and the Netherlands.
- The VMs act as staging servers for major ransomware families, including LockBit, Qilin, BlackCat, and WantToCry.
- Attackers are utilizing this infrastructure to host "fake update" pages (ClickFix) to deliver information stealers.
Suggested Corrections:
To defend against this specific threat landscape, organizations should adopt the following strategies:
- Indicator Blocking: Immediately block all connections to and from the high-fidelity hostnames: WIN-LIVFRVQFMKO, WIN-BS656MOF35Q, WIN-344VU98D3RU, and WIN-J9D866ESIJ2.
- ASN Filtering: Implement heightened scrutiny or blocking for Autonomous System Numbers (ASNs) associated with Stark Industries Solutions and First Server Limited.
- Geo-Blocking: Strictly filter inbound traffic from Russia and other high-risk hosting regions identified in the report unless there is a critical business need.
- Exploit Remediation: Prioritize patching for public-facing applications, particularly FortiClient EMS, which has been actively targeted via this infrastructure.
- RDP Hardening: Ensure Remote Desktop Protocol (port 3389) is not exposed to the public internet. Use a VPN or ZTNA solution with Multi-Factor Authentication (M1013).
- User Training: Educate employees to recognize "fake browser update" lures (ClickFix), a primary delivery method for malware hosted on these VMs.
- Egress Filtering: Restrict outbound traffic to known, neutral hosting providers to prevent C2 communication with BPH infrastructure.
https://www.sophos.com/en-us/blog/malicious-use-of-virtual-machine-infrastructure