The victim shaming website operated by the Snatch ransomware group has been found to be leaking data about its true online location and internal operations, as well as the Internet addresses of its visitors, according to KrebsOnSecurity. This information suggests that Snatch, like several other ransomware groups, is using paid ads on Google.com to trick people into installing malware disguised as popular free software. Some examples of software that Snatch has used to disguise its malware include Microsoft Teams, Adobe Reader, Mozilla Thunderbird, and Discord.
Snatch first emerged in 2018 and has since published stolen data from numerous organizations that refused to pay their ransom demands. The group publishes this stolen information on a website on the open Internet, with the same content being mirrored on the Snatch team’s darknet site, which is only accessible through the global anonymity network Tor.
KrebsOnSecurity has discovered that Snatch’s darknet site exposes a “server status” page, which provides information about the true Internet addresses of users accessing the site. By frequently refreshing this page, it becomes evident that the Snatch darknet site receives substantial traffic, often attracting thousands of visitors each day. Interestingly, the majority of repeat visitors appear to be coming from Internet addresses in Russia that either currently host Snatch’s clear web domain names or have done so recently.
One particular Internet address, 193.108.114[.]41, which belongs to a server in Yekaterinburg, Russia, hosts several Snatch domains, including snatchteam[.]top, sntech2ch[.]top, dwhyj2[.]top, and sn76930193ch[.]top. Another frequently appearing address is 194.168.175[.]226, currently assigned to Matrix Telekom in Russia. This address has hosted various Snatch domains as well as domains phishing known brands such as Amazon and Cashapp.
Another notable Internet address that accesses the Snatch darknet site is 80.66.64[.]15, located in Moscow, Russia. This address is also associated with the appropriate Snatch clear-web domains. Interestingly, it is also home to multiple recent domains that resemble popular software companies, including libreoff1ce[.]com and www-discord[.]com. These phishing domains are all registered to the same Russian name, Mihail Kolesnikov, which is linked to recent phishing domains tied to malicious Google ads.
Kolesnikov is likely a pseudonym, but it should also be noted that there are more than 1,300 current and former domain names registered to this name between 2013 and July 2023. Half of these domains are older websites advertising female escort services in major US cities, while the other half are recent phishing domains designed to mimic major software companies’ domains.
It is suggested that Snatch and other ransomware groups may be sourcing their victims by using these phishing domains. In August 2023, researchers with Trustwave Spiderlabs encountered domains registered to Mihail Kolesnikov being used to distribute the Rilide information stealer trojan. However, it is apparent that multiple crime groups may be using these domains to phish people and disseminate various information-stealing malware.
Spamhaus warned of an increase in malicious ads hijacking search results on Google.com in February 2023. These ads were being used to distribute several information-stealing trojans, such as AuroraStealer, IcedID/Bokbot, Meta Stealer, RedLine Stealer, and Vidar. Victims searching for Microsoft Teams on Google.com would often encounter paid ads spoofing Microsoft or Microsoft Teams. Clicking on these ads would redirect users to mlcrosofteams-us[.]top, another malicious domain registered to Mihail Kolesnikov. This website would trick visitors into downloading the supposed Microsoft Teams client, which actually contained the IcedID malware and could steal passwords and authentication tokens from the victim’s web browser.
The founder of anti-abuse website abuse.ch stated that it is likely that cybercriminals sell “malvertising as a service” on the dark web, catering to the high demand for this type of service. This suggests that someone is profiting from generating and promoting new software-themed phishing domains and selling them to other cybercriminals.
The exposure of Snatch’s darknet site’s “server status” page was brought to light by @htmalgae, a security researcher who previously alerted KrebsOnSecurity to the 8Base ransomware gang’s victim shaming site being left in development mode. This oversight revealed not only the true internet address of the hidden 8Base site but also the identity of a programmer involved in developing the 8Base code.
The irony of a ransomware group’s victim shaming site unintentionally leaking its own user data has not gone unnoticed. @htmalgae commented on the situation, stating, “This is a criminal group that shames others for not protecting user data. And here they are leaking their user data.”
It is important to note that all of the malware mentioned in this news article is designed to run on Microsoft Windows devices. However, it has recently been observed that a Mac-based information-stealing trojan called AtomicStealer is being advertised through malicious Google ads and domains that closely resemble software brands. It is crucial to exercise caution when searching for popular software titles online and to be wary of cracked or pirated copies, as they often contain infostealer infections. Rogue ads masquerading as search results should also be double-checked to ensure the legitimacy of the domain before downloading and installing any software.
Part II of this post, which will provide a closer look at the Snatch ransomware group and its founder, will be published soon.
For further reading on this topic, @HTMalgae’s list of the top Internet addresses seen accessing Snatch’s darknet site, Ars Technica’s article on the need to be cautious when using Google to download software, and Bleeping Computer’s coverage of hackers abusing Google ads to spread malware in legitimate software are highly recommended.