gric.recherche.usherbrooke.ca Open in urlscan Pro
132.210.236.34  Public Scan

Form analysis
0 forms found in the DOM

Text Content

 

Illegitimate residential proxy services: the case of 911.re and its IOCs

By Marc Frappier, Philippe-Antoine Plante, Guillaume Joly

{marc.frappier, plap1903, jolg2405} @usherbrooke.ca

Abstract

Residential proxy services (RPS) allow someone to rent a residential IP address
to use it as a relay for his/her internet communications, providing anonymity
and the advantage of being perceived as a residential user surfing the web.  For
the visited servers, the IP traffic appears to originate from the rented
residential IP address, not from the original RPS user.  These RPS can be used
in a legitimate manner for several business purposes (e.g., market survey, seo,
etc), allowing the RPS user to bypass access control based on the IP source
address (e.g., filtering out VPN, cloud services, competitors, country-based
access, etc).  However, they can also be used for hiding criminal activities and
making it very difficult to trace malicious traffic to its original source. 
Some well-known RPS, like Brightdata, recruit residential proxies through some
level of informed consent, and filter/vet RPS clients to avoid illegitimate use.
Other RPS, like 911.re, recruit residential proxies with a less than clear
consent and do not filter at all RPS clients, opening the gate to an
illegitimate use of a residential proxy, exposing the person legally associated
to the residential proxy to some severe legal consequences. During the research
we identified two free VPN services that uses a subterfuge to lure users to
install software that looks legitimate but makes them part of the network. These
two software are currently unknown to most if not all antivirus companies. This
research enabled the discovery and exposure of the s911.re infrastructure and
over 120,000 residential nodes of its network.

Keywords

{RPAAS, Residential Proxies, s911.re, malware, C2, command-and-control, C&C }

Timeline

January 2021 – Beginning of the research project

November 2021- April 2022 – Active collection phase

June 2022 – Presentation of the results

Introduction

Residential Proxies As A Service (RPAAS) is a recent trend in internet anonymity
services. It enables legitimate and malicious actors to anonymise their network
traffic by directing it through residential nodes which behave like proxy
servers, bypassing multiple security mechanisms such has VPN detection. We
assessed RPAAS providers and found the 911.re service. Beginning in January
2021, our research mainly focused on this subscription-based service, openly
available on the internet to any user. 911.re is known to be among the largest
residential IP provider. It offers to rent residential nodes without any vetting
or verification process. We have reverse engineered the infrastructure of the
911.re service and listed all available residential nodes at the time of our
capture.

At the time of this publication, the binary and network signatures of its
various recruiting programs are not flagged as malicious traffic by antivirus
systems. Residential node owners listed on 911.re could face criminal or civil
liability if their computer is used by malicious actors, since the malicious
traffic will appear to originate from them. We have produced IOCs for
residential proxy nodes and the 911.re infrastructure.  As of today, there are
over 120 000 residential proxy nodes in the 911.re network, distributed all over
the world. Our research identified two applications that recruit residential
nodes to make them available on the 911.re network.

Research methodology

Initially the team developed hypotheses on the inner workings of the 911.re
RPAAS based on known malicious botnet network infrastructure knowledge. It was
expected that the network would operate using one or several command-and-control
servers (henceforth called C2) to keep persistent communications with recruited
residential nodes.  The main challenges in operating such a network are to
recruit nodes and to maintain persistent communications with them to provide an
adequate service level to 911.re users.  Also, there must be nodes in several
cities around the world in order to make the service attractive to the 911.re
users.

Initial hypotheses

·         The primary hypothesis was that there was some IOCs that could be
collected by sniffing the network link of a recruited node that we purchased
through the 911.re service while generating a significative amount of network
traffic in a short lapse of time.

·         The proxy service is installed on the recruited residential node
without appropriate, informed consent of its owner.

·         The proxy system operates a botnet-like infrastructure.

·         The recruited node communicates multiple C2 that are located offshore
or hosted within a cloud server.

911.re service

The 911.re service is a paid subscription service where end users can buy to
rent residential nodes. The service appears to have been operating since early
2018.



Image 1: 911.re website product features

The platform is operated in offshore manner with the shell corporation
International Media Ltd as owner of the service. There is currently no public
knowledge of the owners or operators of the 911.re service. Moreover, two
different shell corporations are used to sign the binaries in order to add
legitimacy to the software Mask VPN and Dew VPN.  The end users do not have full
knowledge that they are part of the 911.re network when they install Mask VPN or
Dew VPN.

 



Image 2: Dew VPN binary certificate issued to: Grand Media Ltd



Image 3: Mask VPN binary certificate issued to: Global Media Ltd

 



Image 4: Incorporation records for Grand Media Limited (UK)

 



Image 5: Incorporation records for International Media Limited (UK)


911.re Infrastructure

The 911.re infrastructure is designed to obfuscate the true nature of the
infection. The 911.re network modus operandi appears to date back in 2018, with
the service Proxygate. The Proxygate ancestor interface and the 911.re interface
share several characteristics.

Participation in the network as a proxy node for Proxygate was clearly stated
and consensual, while it is less clear in 911.re.   All the network traffic
between the infected nodes and the C2 server is encrypted. The infected nodes
that have installed Mask VPN or Dew VPN are still able to use the VPN software
legitimately to navigate the internet, however the service creates a backdoor
and connects back to a C2 server located in the Krypt Technologies backend. This
TCP connection in the background also has a heartbeat and it is what makes the
node available for usage in the 911.re software.

Image 6: Proxygate inferface



Image 7: 911.re interface

 



911.re does not operate in a simple straight forward manner. The infrastructure
is made so that it is complex to reverse engineer. The infected nodes have
either Mask VPN or Dew VPN installed. They connect to a server that provides
them with a legitimate free and functional VPN service. The free VPN service
provides the end user IPv4 within the M247 ISP subnets. However, at the same
time, their computer is joined to a botnet like infrastructure, through a
permanent TCP socket connection. This TCP connection is made to the C2 servers
of the 911.re backend infrastructure and renders the node available for
connections through the 911.re interface. A heartbeat process is in place to
ensure the node is listed as available. At no time, there is direct connection
between the infected node and the 911.re paid subscriber even when the node is
selected, and traffic passes through. All the network traffic is always routed
between the C2 servers that are USA based, reducing the risk of anomaly
detection by IDS or IPS systems. Mask VPN and Dew VPN are using a custom
implementation of the open-source OpenVPN.  

 



 

 

 

Methodology

With the collaboration of our research partners, we were able to collect
incoming and outgoing TCP traffic flow from several infected nodes. This enabled
us to discover a link between 911.re, and one of its recruiting applications,
Mask VPN. During our reverse analysis of Mask VPN, we were able to identify
another recruiting application, Dew VPN.

 

Deploying Mask VPN and Dew VPN on several separate virtual machines in different
OS / environments, we have analyzed the behavior of the 911.re network.
Installing Mask VPN or Dew VPN made the virtual machine available for
connections on the 911.re client application after about 15 minutes. Using the
client application, we were successfully able to connect and use the routable
IPv4 address of the infected nodes with the 911.re client with an active
subscription. Additionally, there is currently no vetting process for the end
users, therefore enabling all sort of usage of the 911.re service. A
multi-thread collection infrastructure was created and used to collect around
120,000 nodes.  The information collected on each node were the IPv4 and the
timestamp of the positive detection. Using Maxmind’s database we were able to
collect further information such has country, city, ASN and ISP or the infected
node IPv4.

 

911.re Network Extent

Our analysis enabled us to find a total of 118,804 nodes on the 911.re network.
The collection process began 2021-11-10 and ended on 2022-04-26. The node
collection process was made by using a specifically crafted multi-threaded
system. A full collection run normally lasts about 7 days.

Table 1: Total number of unique IPv4 occurrence between 2021-11-10 and
2022-04-26

118,804 unique IPv4 nodes

Table 2: Top 20 nodes occurrence per Country

United States

20022

South Korea

12470

Peru

9421

Japan

9305

Canada

8115

Spain

7612

Taiwan

7373

Italy

4369

France

4075

United Kingdom

3776

Chile

3504

Australia

3140

Germany

3123

Hong Kong

2213

Belgium

1759

 

Table 3: Top 10 Unique IPv4 occurrence per ISP

Korea Telecom

6556

Spectrum

4343

Comcast Cable

4291

Telefonica del Peru

4246

Chungwa Telecom

3141

Claro Peru

2549

SK BroadBand

2501

AT&T U-verse

1745

Vodafone Germany Cable

1570

NTT

1562

 

During our analysis, nodes within several major US-based Universities and
Colleges, critical infrastructures such as clean water, defence contractors, law
enforcement and government networks were seen as available for purchase with the
911.re interface.

 

911.re pricing



 

Proxy Node Vulnerabilities Exploitable by 911.re users

IP filtering-based service

Some ISP providers offer access to their customer service (eg, Internet TV
service, etc) without asking a user id and password when the service request
originates from one of their IP addresses, because they assume that it is
sufficient to authenticate the user based on the source IP address. When the
node is available as a residential proxy, the 911.re user can then access the
ISP customer service as if he/she was the owner of the residential proxy.  Thus,
an 911.re user can browse the account of the residential proxy on its ISP
provider and potentially gain confidential information.

It would be interesting to investigate if other web services allow one to bypass
authentication based on the source IP address of the request.  This would also
open the door to illegitimate use of the residential proxy owner account by a
911.re user.  Poorly designed cookies could also be exploited.

 

Lateral movement attacks

The infection of a node enables the 911.re user to access shared resources on
the network such has local intranet portals or other services. It also enables
the end user to probe the LAN network of the infected node.

DNS router cache poisoning

Using the internal router, it would be possible to poison the DNS cache of the
LAN router of the infected node, enabling further attacks.

 

How to disable mask VPN and dew VPN

After conducting a full software uninstall, usually the node becomes
unavailable, and the persistent TCP connection is no longer available. However,
a full Operating System reinstall is suggested.

1.      Completely uninstall either or both software through the Windows
Programs and Features from the Control Panel;

2.      Net stop MaskVNService

3.      Net stop DewVPNService

4.      SC DELETE MaskVNService

5.      SC DELETE DewVPNService

 

Conclusion

This research enabled the discovery of a mid scale botnet-like infrastructure
where the payload is unknown to antivirus compagnies and that operates in
several networks, such as corporate, government and critical infrastructure. The
911.re network uses at least two free VPN services to lure its users to install
a malware-like software that archives persistence on the user’s computer. The
full extent of the scale of the network is currently unknown and is of interest
for further research.

 

Indicators of compromise (IOCs)

X509 Certificates

Name Global Media (Thailand) Co., Ltd

Issuer DigiCert EV Code Signing CA

Valid From 2020-06-22 00:00:00

Valid To 2021-06-30 12:00:00

Algorithm sha1RSA

Thumbprint BA2CC98AE9760F4B584973A51436D6896BA20291

Serial Number 0C 27 3D 79 82 0C D6 0B 57 09 19 4D 6E 42 B0 16

 

Name Grand Media Ltd

Issuer DigiCert EV Code Signing CA

Valid From 2020-03-10 00:00:00

Valid To 2023-06-01 12:00:00

Algorithm sha1RSA

Thumbprint DF58A6BE47E831DE8D7A36944CFC8C456F1E4E3E

Serial Number 09 62 7F B7 13 23 16 85 DC FD 5A 5C 20 AA A8 08

 

Binaries

·         Maskvpn.exe (2/68 virus total)

MD5: a220528f31dceddc955b791b13ac4989

SHA-1: 57a83b83a11b6e27c9e88a7835d8a84744d79bdd

SHA-256: e801fa187027537337d8b4e4bde3a7da95499172f6b1477830a216d0a385518b

 

·         Dewvpn.exe (1/67 virus total)

MD5: 12059484a8951a8356c60c46f659a35e

SHA1: 3916aeaa61a6e97d6c1746b18c05fd77584de5d8

SHA256: daa21c58a1ace38d1eebcda6fef3502fa3492ccf09fbccfa6ce103c9222d9afc

 

·         maskvpn-setup.exe (2/68 virus total)

 

MD5: f9634d85ca0138cfddfe6e58fa1c6160

SHA1: 5ffa0b96b7257d804beddb87b0a21e871a1296b4

SHA256: 1013eb0e3dbbc16c8b6d0659cca46a084e767b2d9bb8e498e07016bfdb978780

 

·         mask_svc.exe (1/67 virus total)

 

MD5: c6b1934d3e588271f27a38bfeed42abb

SHA1:08072ecb9042e6f7383d118c78d45b42a418864f
SHA256: 35ec7f4d10493f28d582440719e6f622d9a2a102e40a0bc7c4924a3635a7f5a8

 

·         DewVPN-Setup.exe (1/67 virus total)

 

MD5: 8e8b072c93246808a7f24554ca593c59

SHA1: d06418cacd11e25af37a41724d55dffc24d6fe5b

SHA256: f422a38d72785c402948c94ae81336383a9fd48167272f29cdc434ce7e51e02b

 

·         dew_svc.exe (0/69 virus total)

 

MD5: 5feb35a7186a5be50b7aa158866b8aa3

SHA1:c0c7e272f3e48d8dfe559aa5f63ad3a46c76fb9e
SHA256: a8e72d202f9a83e6bdfd03a822fae6d4ee2d4b35a6f73a06e9d59e2e49b3070a

 

DNS queries:

·         vpn[.]maskvpn[.]org

·         user[.]maskvpn[.]org

·         net[.]dewvpn[.]com

·         wan[.]dewvpn[.]net

·         connect[.]dewvpn[.]cc

 

IPv4:

·         98.126.176.51

·         98.126.176.52

·         98.126.176.53

 

======

 

·         67.198.169.2

·         98.126.244.26

·         98.126.13.146

·         174.139.80.66

·         67.229.60.114

·         174.139.78.106

·         98.126.1.130

·         174.139.100.202 

·         67.198.134.186 

·         98.126.5.106 

 

Outgoing TCP ports used by Mask VPN and Dew VPN to initiate persistent C2
communications

·        441 TCP

·        430 TCP

·        433 TCP

·        434 TCP

·        436 TCP

·        440 TCP

·        439 TCP

·        435 TCP

·        428 TCP

·        432 TCP

·        438 TCP

 

References:

X. Mi et al., "Resident Evil: Understanding Residential IP Proxy as a Dark
Service," 2019 IEEE Symposium on Security and Privacy (SP), 2019, pp.
1185-1201, doi: 10.1109/SP.2019.00011.