- Malanta.ai exposed a 14-year-old cybercrime infrastructure in Indonesia that resembles state-sponsored operations
- The network spans 320,000 domains, hijacked government subdomains and thousands of malware-laden Android apps
- Campaign stole more than 50,000 gambling credentials, used AWS and Firebase for C2, raising nation-state suspicion
Security researchers have uncovered vast cybercrime infrastructure in Indonesia that has operated unabated for more than 14 years.
The length of the operation, the domains included, the malware circulating and the data sold on the black market were all so large that the researchers – Malanta.ai – said the campaign resembles a nation-state campaign more than “simple” cybercriminals.
“What began as simple gambling websites has evolved into a global, well-funded, sophisticated, state-sponsored attack infrastructure that operates across web, cloud and mobile,” Malanta said in a recently published blog.
Is the government involved?
According to the report, the operation had been active since at least 2011. The operators controlled more than 320,000 domains, including over 90,000 hacked and hijacked ones. They also controlled over 1,400 compromised subdomains and 236,000 purchased ones – all used to redirect users to illegal gambling platforms.
To make matters worse, some of the compromised subdomains were on government and corporate servers. In some cases, the threat actors deployed NGINX-based reverse proxies to kill TLS connections on legitimate government domain names, thus disguising their C2 traffic as legitimate government communications.
Then there is the malware ecosystem – the researchers found “thousands” of malicious Android applications distributed through public infrastructure (Amazon Web Services S3 buckets).
These apps acted as droppers posing as legitimate gaming platforms while deploying malware that gave full access to the compromised devices in the background. The backdoors got their commands directly from another piece of public infrastructure – Google’s Firebase Cloud Messaging service.
This resulted in more than 50,000 stolen login credentials from gaming platforms, countless infected Android devices, and hijacked subdomains circulating on the dark web.
“What if this ecosystem isn’t just cybercrime?” the researchers speculated.
Usually, the scope, scale, and financial backing behind this infrastructure is far more closely aligned with the capabilities typically associated with state-sponsored threat actors.
Via Cyber Security News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
