Coquettte Malware Campaign Unmasked by OPSEC Blunder on Bulletproof Hosts

Turns out, even cybercriminals make mistakes. Security researchers recently stumbled upon a novice hacker who was using a Russian bulletproof hosting service – Proton66 – to run their operations.

DomainTools made the discovery after finding a dodgy website, cybersecureprotect[.]com, which was pretending to be an antivirus service and was hosted on Proton66. It seems our amateur hour hacker made a crucial error.

The security firm noticed a major operational security (OPSEC) slip-up. This mistake left their malicious infrastructure wide open, exposing the malware they were storing on the server.

"This revelation led us down a rabbit hole into the operations of an emerging threat actor known as Coquettte," DomainTools said in a report shared with The Hacker News. Apparently, Coquettte is an amateur cybercriminal using Proton66's bulletproof hosting to spread malware and get up to other nefarious activities.

Proton66: A Hub for Budding Cybercriminals?

Proton66, which has links to another BPH service called PROSPERO, has been linked to multiple campaigns that distribute malware for both desktops and Android devices. We're talking about nasty stuff like GootLoader, Matanbuchus, SpyNote, Coper (aka Octo), and SocGholish. Phishing pages hosted on the service have also been used to trick people into handing over their banking details and credit card info via SMS messages.

Coquettte is just one example of a threat actor taking advantage of Proton66's services to distribute malware, disguised as legitimate antivirus tools. Clever, but not clever enough!

The malware comes in a ZIP file called "CyberSecure Pro.zip." Once opened, it installs a Windows installer which then downloads more malware from a remote server ("cia[.]tf"). This server acts as a command-and-control (C2) server, doling out secondary payloads.

This second-stage malware is a loader known as Rugmi (also called Penguish). Rugmi has a history of deploying information stealers like Lumma, Vidar, and Raccoon.

Who is Coquettte?

Digging deeper, researchers found a personal website belonging to Coquettte. On the site, they claim to be a "19 year old software engineer, pursuing a degree in Software Development." Yikes!

Adding insult to injury, the cia[.]tf domain was registered with the email address "root@coquettte[.]com." This pretty much confirms that Coquettte controlled the C2 server and ran the fake cybersecurity site as a malware distribution center.

"This suggests that Coquettte is a young individual, possibly a student, which aligns with the amateurish mistakes (like the open directory) in their cybercrime endeavors," DomainTools noted.

More Than Just Malware

But wait, there's more! Coquettte's activities aren't limited to malware. They've also been running websites that sell guides for manufacturing illegal substances and weapons. Coquettte is thought to be loosely connected to a larger hacking group called Horrid.

"The pattern of overlapping infrastructure suggests that the individuals behind these sites may refer to themselves as 'Horrid,' with Coquettte being an alias of one of the members rather than a lone actor," the company explained.

It seems this group could be an "incubator" for aspiring cybercriminals, providing resources and infrastructure to those looking to make a name for themselves in the underground hacking world.