Full Report
Connecting the dots from Lumma to Qwins Ltd (ASN 213702)
Analysis Summary
# Threat Actor: Unattributed Actors Utilizing Qwins Ltd Infrastructure
## Attribution & Identity
The analysis focuses on infrastructure linked to **ASN 213702, Qwins LTD (later renamed "QUALITY IT NETWORK SOLUTIONS LIMITED")**. This entity is described as a "very interesting Russian operated hosting provider" offering VPS and dedicated servers. The infrastructure appears to be utilized by multiple threat actors or one actor involved in diverse campaigns.
## Activity Summary
The investigation pivoted from tracking the **Lumma** malware family to identifying non-CDN-protected infrastructure, leading to the discovery of Qwins LTD's involvement. This infrastructure is hosting various malicious payloads and is suspected of supporting bulletproof hosting operations. Activities observed include:
* Hosting phishing and impersonation sites (e.g., impersonating "Brex" financial services).
* Hosting Command and Control (C2) infrastructure.
* Distribution of initial malware payloads.
## Tactics, Techniques & Procedures
The infrastructure supports several distinct stages of malicious operations:
- Hosting malicious payloads (exe, zip, rar files).
- Serving as C2 infrastructure for active malware.
- Hosting phishing/impersonation lures.
- Communication clustering suggests distinct attack chains (e.g., droppers on 95.164.x.x leading to payloads on 93.123.x.x, and stealer communication to 77.105.x.x).
## Targeting
- Sectors: Financial Services (via Brex impersonation).
- Geography: Infrastructure hosted across Russia, Germany, Finland, Netherlands, and Estonia (locations offered by Qwins LTD).
- Victims: Undetermined specific victims, but activity points towards users of infostealers and trojans.
## Tools & Infrastructure
- **Malware families used:** Lumma, Makoob, Guloader, AgentTesla (infostealers/trojans), Mirai, Quackbot, Qbot (botnets).
- **Infrastructure (C2, domains, IPs):**
- **Key ASN:** AS213702 (Qwins LTD)
- **Key IPs associated with Trojans/Infostealers:** 141.98.6.34, 141.98.6.190, 141.98.6.130
- **IPs associated with Botnets (Mirai, Qbot):** 141.98.6.81
- **IP Ranges observed:** 141.98.6.0/24 (Infostealers), 95.164.53.0/24 (Initial Payload Distribution), 77.105.164.0/24 (C2, Config & Backup).
- **Phishing attempts:** `dbeaver[.]it[.]com`, `dbeaver-pro[.]site` (Impersonating DBeaver).
- **Service Ports noted on clustered IPs:** 5554, 3389.
## Implications
The discovery highlights the continued use of seemingly legitimate, low-cost hosting providers (like Qwins LTD) to host diversified malicious infrastructure, including loaders, infostealers, and botnets. The presence of impersonation sites on the same infrastructure suggests a financially driven motivation or a blend of financially and offensively motivated threat actors leveraging 'bulletproof' services. Inability to pivot easily through CDNs implies intent to obscure attribution and resist takedowns.
## Mitigations
- **Network Filtering:** Actively monitor and block traffic communicating with known hostile IPs/ranges pivoting from Lumma analysis, especially those hosted in AS213702.
- **Application Monitoring:** Increase scrutiny on self-signed certificates, non-standard service ports (like 5554, 3389 in specific clusters), and unauthorized deployments of tools like DBeaver infrastructure.
- **Threat Hunting:** Use initial infection vectors (like Lumma) to proactively hunt for related C2 infrastructure before it moves behind CDNs.
- **Geographic Awareness:** Be aware that hosting providers with operations tied to Russia may offer enhanced resistance to international takedown requests.