The Russian Business Network (RBN) claimed to be a legitimate Internet service provider (ISP) back in 2006. Shortly after establishing its business, however, it gained notoriety for hosting the sites owned by spammers, malware operators, distributed denial-of-service (DDoS) attackers, and other cybercriminals.

Throughout its operation, RBN’s claims to fame include being tagged “the baddest of the bad” by VeriSign. Spamhaus, meanwhile, named it “among the world’s worst spam, malware, phishing, and cybercrime hosting networks,” thus including several of its IP addresses in its blocklist. While RBN has seemingly gone quiet for some time, our threat researchers are wondering if it has shut down.

Our in-depth look into what’s left of the RBN infrastructure revealed:

• 21 unredacted email addresses used to register the domains identified as indicators of compromise (IoCs)
• 45 IP addresses to which the domains resolved
• 399 possibly connected domains as they shared the IoCs’ registrant email addresses or IP hosts, four of which have been dubbed “malicious” by various malware engines

A sample of the additional artifacts obtained from our analysis is available for download from our website.

A Look Behind the RBN Curtain

Over the years, the cybersecurity community has collated IoCs related to RBN, including these 26 domains:

• spywarelocked[.]com
• virusprotectpro[.]biz
• spylocked[.]com
• virusprotectpro[.]com
• techdownloads[.]org
• srv4u[.]biz
• bulletproof-service[.]com
• abdulla[.]cc
• tarahost[.]net
• privateforum[.]cn
• antiverminser[.]com
• antiverminser[.]net
• antiverminspro[.]com
• antiverminspro[.]net
• keratomir[.]biz
• sigmadown[.]biz
• spycrush[.]biz
• spycrush[.]com
• servicesupport[.]biz
• marketglobe[.]net
• mglobe[.]net
• mgrecruitment[.]net
• myns[.]bz
• anti-vermins[.]com
• antivermins[.]com
• antivermins[.]net

We used these web properties as jump-off points for our investigation.

A closer look at the domains’ historical WHOIS records allowed us to uncover 21 unredacted email addresses used to register the IoCs.

DNS lookups for the IoCs led to the discovery of 45 IP addresses to which they resolved. These were spread across eight countries topped by the U.S., Germany, China, and the British Virgin Islands.

We then expanded the list of IoCs with possibly connected artifacts, specifically domains, that shared their registrant email addresses or IP hosts. Consistent with the IP geolocation data, according to a bulk WHOIS lookup, most of the possibly connected domains were registered in the U.S., followed by the Czech Republic, China, and Germany. The rest were scattered across 10 other countries—Japan, Russia, Canada, Iceland, Taiwan, Thailand, Mexico, Panama, Turkey, and the U.A.E.

The bulk WHOIS lookup also showed that a majority of the additional domains were created between 2015 and 2022.

Reverse WHOIS searches and reverse IP lookups uncovered 399 domains that could have ties to the RBN infrastructure. A bulk malware check on the Threat Intelligence Platform (TIP) showed that organizations should block access to four of them—ilo[.]brenz[.]pl, ant[.]trenz[.]pl, www[.]ipshougou[.]com, and www[.]52cps[.]com.

Countermeasures

Organizations that wish to steer clear of the dangers that RBN-hosted web properties pose can block access to the malicious domains identified in this post, apart from those already identified as IoCs. Monitoring for malicious activities related to the IP addresses that host the IoCs would also be helpful. Keeping a keen eye on domains containing the names of anti-malware programs or any software that don’t look legitimate is also advised. Finally, including web properties connected to the identified registrant email addresses in threat monitoring efforts could also be worth doing.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.