# An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure

**medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145**

Benoit ANCEL August 8, 2022

[Benoit ANCEL](https://medium.com/@benkow_?source=post_page-----89b9188fd145--------------------------------)

Aug 8


15 min read

One, if not the main, challenge with producing good intelligence is to have access to the right information at the right moment. The right
telemetry from the right angle helps you to detect and dig out the right signal. Sometimes, in order to obtain good telemetry, you need a bit of
luck .

The story we are writing here will try to explain how, from a simple mistake made by an operator, we managed to collect and exploit a lot of
precious information from a “Fast Flux” network called BraZZZerS Fast Flux between end of 2018 and 2022.

After sharing this data as TLP:amber with partners for years, the service now going into decline and the misconfiguration finally being fixed, we
think it is now the right time to release this data and explain what can be found inside. It is a good occasion to try to fill any holes in your
documentation and keep track of the technical facts about the cybercrime history.

## BraZZZerS Fast Flux: Domain anonymization for all

During mid-2018, we observed an actor using the nickname BrazzzersFF to promote a service based on a system of domain anonymization
described as a fast flux:


-----

ey e a e ca ed a e s, a d e o t ee t gs
1. On the Internet, millions of projects, but “locating” the server of any of them is easy — thanks to the IP-address.

2. Projects are different. There are some who, for certain reasons, better hide the IP address.

3. It is possible to make sure that no one knows about the real location of the server. No one — from the word “in general”.

For this, we have FastFlux technology, which will change your IP addresses faster than anyone can track them. We are ready to install
this system on your servers and in the future to ensure that it will work as a clock. And we will do it around the clock, since we, unlike
most of the services of this type, have real and professional support 24 hours a day, without holidays and weekends.

We are BraZZZers. We are a group of experienced professionals, who at one time separated from another similar company in order to
make the quality of our services even better. And we will make you completely invisible, elusive and impregnable.

Now it is more concrete. Except actually FastFlux, we offer you a lot of additional privileges.

1. Qualitative, professional round-the-clock technical support in any time zone.

2. Launch services within 15 minutes after payment.

3. Own control panel FastFlux:

   - with automation of actions and processes

   - with domain registrations — coming soon

   - with automatic billing and notifications — coming soon

   - with instructions for any types of records for domains (MX, etc.) — coming soon

   - and with a lot of other pleasant and useful bonuses, over which we are working hard.

4. The tariff includes server rental, at your service:

   - a set of standard configurations, as well as the ability to select a server with individual parameters according to your request

   - constant protection from DDoS attacks

   - 24-hour monitoring and support

  - Guaranteed communication channel.

5. Absolute bulletproof / fault tolerance. All systems are under round-the-clock automatic and manual monitoring of our specialists.

6. A large database of own DNS-addresses, which is constantly expanding.

7. The ability to create or configure your own DNS addresses with the required geography.

8. We are always ready to meet you and completely create FastFlux for you with your individual settings and conditions.
9. We have the highest uptime on the market. We guarantee this.

10. Support for .bit domains and SSL certificates (getting or creating your own certificate in one click).

11. You choose the traffic receiving port yourself.

12. Our technical support is quite extensive. We will be happy to set up your server, install the necessary software and help with other
technical issues.

We are working to ensure that the list of our advantages is expanded and expanded. More detailed conditions we will discuss with you
personally and strictly confidential.

Also, we have a keshbek system. If for some reason, for some reason, we can not provide you with the agreed services in full, you are
guaranteed to get your money back. It should be remembered that the cacheback does not work in the following cases:

   - If your project failed due to reasons beyond our control

   - If your software is not installed for some reason (in the conditions that we have installed a predefined OS, php version, etc.)

   - If you are blocked by the server after launching traffic directly, bypassing FastFlux.

Are you tired of the constant failures of the old supplier? Or do you want to receive services at a more attractive price? For us this is a
matter of principle. We guarantee that we will pay you less than our competitors. In addition, we have an extremely flexible pricing policy,
and we are ready to consider the individual tariff for each of your requests.

Also, we are working on improving our panel every day. Therefore, new features and capabilities will always appear.

In general, if you are looking for a reliable and optimal provider of Internet privacy services, then you are at the right address. The only
nuance is we are absolutely against violence against children and animals, therefore on our servers will never be neither childish nor
zoo. And in the rest — write to us and enjoy online invisibility!

P.S. If you are a reseller who is tired of the administration and imperfection of your product, we will happily take on your shoulders your
cares for customers. Right now we are developing API for resellers — and you can safely work on our software under your own brand.
You will need a minimum deposit, and we are ready to discuss the remaining conditions individually.

The service is described as a Fast flux but in reality it’s more a simple proxy system. BraZZZers rents a pool of VPSs all around the internet
and uses them as proxy IPs in order to hide the real IP of a server.


-----

Brazzzers mechanism
The domains involved are resolving to a list of IPs, (we observed from 1 up to more than 20 IPs per domain) that are just redirecting the traffic
to the real server. The abuse complaints are usually sent to the host of the IP resolving to the malicious domain but with BraZZZers each
domain has backup volatile IPs and the real malicious server is protected.

In order to configure their domains, each client of BraZZZers has access to a panel where they can configure their domain records. In the early
beginning, BraZZZers suggested the use of their own name servers but they ended up proposing DNSpod by default like most criminals are
now doing.


-----

BraZZZers login panel

BraZZZers client panel
[BraZZZers is just another domain protection service like Yalishanda or even](https://krebsonsecurity.com/2019/07/meet-the-worlds-biggest-bulletproof-hoster/) [Sandiflux/Fluxxy.](https://www.proofpoint.com/us/threat-insight/post/sandiflux-another-fast-flux-infrastructure-used-malware-distribution-emerges)


-----

o de to d a d t ac a e s c e ts t e d, e ad to a e su e t at t e ast u e e e obse g as ea y a e s a d ot
one of the other similar services. In December 2018, an announcement made on the forum BHF helped us to understand where to look in
order to find BraZZZers nodes.

19 Dec 2018

In connection with recent events, the fact that the author decided to completely close the sale and support of software, people are
already appearing on the Internet forums who speculate on this situation. Please be vigilant.

I decided to create one topic, which will be considered official and unified in order not to produce a lot of topics when questions arise.

The author left us a builder so that we could rebuild further our clients. Don’t panic :)

Let’s, in case of any questions about the software, ask them here, answer each other, to the point and without unnecessary flooding,
please.

I propose to exterminate the rats, to prevent them from getting rich on the panic in the market.

At the end of 2018, the manager of the Azorult stealer gave up on the project and left a builder to the BraZZZers admins.

Similar signs came from the managers of the password stealer KPOT who where directly reselling BraZZZers with the KPOT package:

The price now is $ 75, but you can still buy at the old price ($ 65) in the case of buying a pre-installed KPOT on the BraZZZerS hosting.
The price for everything will be $ 215 and $ 150 for each subsequent month of hosting. When buying a pre-installed version, you
immediately get a ready-to-work admin and build, initially configured for a bit domain, change it if necessary. The number of pre-installed
versions is limited!

Thanks to those posts and several other intel signals (like the association to MoreneHost) we managed to attribute the correct IPs and map the
BraZZZers network.

## Mapping BraZZZers nodes

Mapping the BraZZZers infrastructure is actually quite simple.

The first and easiest way is to use passive DNS.

You identify a BraZZZers customer
You resolve their domains
You use pDNS on the IPs (BraZZZers nodes are shared between customers)
You pivot until covering the maximum of IPs.

However, the pDNS method has its limits for mapping infrastructure since you can only discover known DNS resolutions and must to be very
careful with the time frame while pivoting in pDNS.

In the same way, we quickly observed that since 2018, BraZZZers used the same TLS certificate for its nodes:

03:21:56:e1:5c:92:6a:e6:3d:a4:c1:b6:51:54:c3:ff:cc:35

You can then use your favorite mass scan provider and look for new IPs.


-----

We also realized that every BraZZZers node uses the hostname “ns4.dnsdns.gdns”, which makes the nodes searchable for mass scan
providers and then pDNS pivot is possible.

Yet, we found an even better way to map the network. By analyzing each node of the infrastructure we discovered an interesting Nginx
configuration problem.

## The Nginx misconfiguration

While configuring the deployment of a new node for protecting domains, the Nginx vhost configuration was setup to disable error_log logging.

The admins edited the Nginx configuration file by setting “error_log off” where “off” should actually be a path. The way the virtual hosts were
configured ended up writing the error_log in a file called “off” in the html directory!

The logs contain two types of logs. The first kind are the upstream errors:

The upstream error tells us:

A client: tried to resolve
The connection between the proxy node and the real server has failed, generating an upstream error.
The upstream shows us that on the 2019/09/02
The request was generated from a referrer: https://check host net/check report/b0f5f12kdac


-----

y oo g at t at og e ca u de sta d t at t s a equest se t o a c ec [ost accou t, a](https://check-host.net/) eb se ce used to o to t e up t e o a
domain.

The second kind is less interesting but still leak a lot of information, it’s basic error_log information. Every 404 detected on the nodes (you can
see a lot of mass web crawlers mass scanning IPs for example). These errors are often generated when a domain is resolving to a BraZZZers
node and that node doesn't have a virtual host configured for the domain. Example of log:

In the log we can see that:

A client 96.57.xx.xxx
Sent a web request “GET tuneappservice.org/l3k42hj56h634gkj2lk14356jk4gh23k5jl6h4/gate.php?
ped=RTY3M0E4NjhDQ0I5JE1DLTEwNw”

We can see here what looks like a malware callback, it’s in fact [Riltok (Android malware). The log leaks victims information (IP and “ped”) but](https://securelist.com/mobile-banker-riltok/91374/)
also a web path 3k42hj56h634gkj2lk14356jk4gh23k5jl6h4/gate.php. Enough data to generate more intel.

Riltok panel
After understanding the value of that data, we quickly built different tools to store and parse those logs and just like that started a very
interesting 4 years journey.

As a reminder, these logs represent a very small fraction of the BraZZZers traffic. We only catch the requests that have failed. If we compare
the number of requests collected on BraZZZers with a botnet like Dreambot and the effective traffic captured on the control server, the
error_logs represent less than 5% of the total traffic; but those 5% are still gold.

We will now try to describe a few use cases observable in these logs in order to demonstrate what kind of data are available.

## Use cases

**Nemty ransomware and JWT leak**


-----

e ty as us g a e s to p otect ts do a s e ty top a d e ty

The logs showed us that the Nemty’s web panel was based (until the last year of Nemty’s life) on [socket.io. The polling service was leaking](https://socket.io/)
very important information on a GET request: the JWT token. By reusing that token in a cookie, you could access the Nemty’s panel
authenticated as the user related to the token:

By observing Nemty’s requests, we can easily analyze which IPs are contacting the admin panel section and then start an intel operation
against the threat actors.


-----

A simple config mistake from BraZZZers ended up compromising the whole operation. Like most of the other clients of BraZZZers, Nemty
trusted the service to hide their backend and didn’t take any extra precaution to hide the real IP from the BraZZZers network.

**The hidden panel of Azorult**

The leaked BraZZZers logs has been particularly handy with the Azorult stealer. In order to protect the webpanel of Azorult, the developers of
the stealer forced the installation of the webpanel into a web directory with a random name (I.E.
domain.com/fsebkjfxbefxdrhvbrghjkvb/admin.php)

This random name makes it theoretically impossible for anybody to guess the webpanel URL.

When the Azorult project was abandoned, the malware was still very active in the wild and omnipresent around BraZZZers infrastructure.

Thanks to the logs, you can now follow every hidden panel and filter every request sent to the admin panel php pages in order to collect threat
actor information.

The hidden panel / random directory name trick is very popular among malware developer and BraZZZers helped us a lot to collect precious
intel.

**DJVU/STOP ransomware**

Another example of client of BraZZZers leaking its panel was DJVU/STOP ransomware:


-----

The logs leaked the hidden web panel “sjdhgfgshdgfhhjsdpenelop26” giving us access to an affiliates panel:

[Some developers also used a password in a GET request to display the login form of the panel. The interesting Coalabot was doing this years](https://malware.dontneedcoffee.com/2017/10/coalabot-http-ddos-bot.html)
ago, and again BraZZZers compromised them.

**ISFB**

One of the most interesting clients of BraZZZers is for sure ISFB. We observed several branches of ISFB using BraZZZers to hide its domains,
[the most active branch was Dreambot. The BraZZZers proxies were responsible for huge damage to the Dreambot setup.](https://medium.com/csis-techblog/the-end-of-dreambot-a-loved-piece-of-gozi-24cc9bfc8122)


-----

st, t e upst ea ogs o cou se ea ed t e co t o pa e s

Requests like this were very typical for ISFB bots. With Dreambot, the port 80 of the control server was reserved for the bots and the port 3000
for the panel.

Even if we imagine that the Dreambot operators were using basic security like, for example, not using admin:admin as credentials, the
BraZZZers requests acted like a sinkhole and allowed us to capture and analyse lots of Dreambot campaigns and alert victims.

When BraZZZers leaked a log like:

http://antidoping.at/images/W7DM8fQnAkZl5/w_2BSbbA/6KBhhx7wg5evMuvuMv1oao4/U6yRGzURZD/XiL01nc5vbfiBN4bX/1hU3GL4_2F8A/_2Br5AtZ

[We could easily (thanks here to Fumiko) parse those requests and extract campaigns data without even having to look for a binary:](https://twitter.com/fumik0_)


-----

Top 20 hits by an ISFB domains to BraZZZers

ISFB versions distribution from the logs

Dreambot serpent keys observed in the logs


-----

Victims clusters, showing the 3 botnets US, JP, DE/BG/EU
While parsing the logs we found some interesting ISFB requests, like the early deployments of IAP2; or even surprisingly GoziAT with domains
configured on localhost.

**Cryptbot Stealer**

[Another cool piece of malware to follow in these logs is Cryptbot. The operator of Cryptbot managed to build a huge botnet hidden behind a](https://www.gdatasoftware.com/blog/2020/02/35802-bitbucket-abused-as-malware-slinger)
quite resilient infrastructure. It has been very hard to obtain intel - until we looked at BraZZZers.

We can observe the early days of Cryptbot dating back to 2019. Thanks to the upstream we were able to monitor them using the same IP as
central CnC for months: 5.182.39[.]172.

If you do a reverse lookup and look for all the domains configured to that IP, you will see that Cryptbot in its early days was hosting its own
marketplace in order to resell their stolen logs.


-----

On top of the usual .top domains used as CnC gateway, we saw the infrastructure hosting shops like larek.info or magazzz.top

Month after month you can observe the botnet evolving into multiple botnets split on different infrastructures.

This is just another example of how useful these logs can be. Looking up every domain attached to the same hidden IP is a great way to help
your attribution. Lots of actors were sloppy with real server IPs, thinking they were protected by BraZZZers.

**Marketplaces**

BraZZZers was not only reserved to malware, we observed a fair amount of Market places / carding shops. Some well-known ones like
slilpp.top or cop.su could be found here.


-----

We extracted a list of the most known ones from the logs:

darknet.so
cop.su
vor.nz
srost.biz
slilpp
v-market
cvv2.name
cvvshop.lv
hybra2web.ru
vault.ug

**Magecart**

As a final example, we will show how to exploit the referrers with Magecart (a.k.a. eCommerce skimmers) . Several domains on BraZZZers
were used for Magecart attacks:

By looking at the referrer in the logs, we could see that the domain toplevelstatic.com is called from several shops blockandcompany.com,
_thepinkdoormemphis.com… From the logs you can easily create a list of web shops infected by a web skimmer._

As can be seen from those few examples, different approaches are possible in order to extract valuable data. Those logs are quite diverse,
you can see requests from multiple botnet families, for example ISFB, PsixBot, DJVU, Nemty, Ako, Riltok, Coalabot, Cryptbot, Megumin,
Azorult, KPOT, Betabot, ZLoader, DiamandFox, Vidar, Lokibot, TinyNuke, OSX malware…

## Global stats


-----

ga, p ease bea d t at t ese ogs o y s o t e a ed equests o t e a e s ast uctu e e be o stat st cs ca e p to see
tendencies but cannot necessarily be used to determine who was receiving the most traffic.

Top hits by domains in the BraZZZers logs

Top hosters used to host the BraZZZers proxy nodes
This story teach us that nobody is immune from a incompetent supply chain. It’s a good example of the limits of the open cybercrime industry.
The business is mainly based on trust and reviews and we have seen several cases where BraZZZers admins were pushing fake reviews to
boost the reputation of the service. From here it’s the snow ball effect and it just needs one big name like Azorult or a ransomware group
patient enough to tolerate the poor quality service to attract more clients.

While following the business side of BraZZZers, we observed several users reporting the poor quality of the service, the grey links to the
hosting company MoreneHost or the low frequency of nodes renewal but that hasn’t been enough to scare away the majority of customers.


-----

e e pect to see o e a d o e cases e t s o e e cybe c e dust y s g o g uc aste t a t e s s o t e cybe c a s
Almost every step of fraudulent activity is now supported by a third party within the market. Malware, VNC, infrastructure, drop data, drops,
marketplaces. The industry end up with a multitude of poorly developed services sold in open marketplaces to customers completely unable to
understand if a service should be trusted or not as long as it works.

## Opening the data

As explained in the introduction, the data is composed of upstream and 404 logs from end of 2018 to March 2022. To make the interesting data
available, while trying not to expose victims IPs, we are opening all the upstream logs without client IPs as TLP;WHITE.

The file is a csv: date,domain,upstream,referrer.

[[Download] — Zip password: infected](https://benkow.cc/braZZZersUpstream2018-2022_.zip)

ef2a69c94e5420f44ee0932abbfaf8e3b4f5f5bb6308a4928dc4dd4bc06f6d4c

We hope these logs will maybe make somebody out there able to look at them from yet another angle.

Happy hunting!


-----