Infamous Malware, Spam Host “Prospero” Shifts to Kaspersky Lab
A key provider of abuse-friendly “bulletproof” web hosting for cybercriminals has now begun directing its activities through networks managed by the renowned Russian antivirus and security company Kaspersky Lab, as per information obtained by KrebsOnSecurity.
Experts in the field of security indicate that the Russia-based entity Prospero OOO (the triple O signifies “LLC” in Russian) has long been a consistent source of malicious software, controllers for botnets, and a flood of phishing websites. Last year, the French security organization Intrinsec outlined the associations of Prospero with bulletproof services advertised on Russian cybercrime forums under the monikers Securehost and BEARHOST.
The BEARHOST bulletproof hosting provider. This snapshot has been auto-translated from Russian. Image: Ke-la.com.
Providers known as bulletproof hosts earned their reputation by turning a blind eye to legal requests and complaints of abuse. BEARHOST has been solidifying its reputation since at least 2019.
“For servers servicing botnets, malware, brute, scans, phishing, counterfeits, and various other activities, feel free to reach out to us,” an advertisement from BEARHOST on a forum suggests. “We completely disregard all forms of abuse, without exceptions, inclusive of SPAMHAUS and other entities.”
Intrinsec discovered that Prospero has courted some of the most dangerous cybercrime syndicates in Russia, hosting control servers for multiple ransomware groups over the past couple of years. Intrinsec’s analysis pointed out that Prospero often accommodates operations involving malware such as SocGholish and GootLoader, which are primarily disseminated through bogus browser updates on compromised websites and frequently set the stage for more severe cyber intrusions, including ransomware incidents.
A phony browser update page propagating mobile malware. Image: Intrinsec.
BEARHOST takes pride in its evasion of blocks imposed by Spamhaus, an entity relied upon by numerous Internet service providers globally to aid in recognizing and blocking sources of malware and spam. Earlier this week, Spamhaus observed that Prospero had started accessing the Internet by directing traffic through networks overseen by Kaspersky Lab in Moscow.
Update, March 1, 9:43 a.m. ET: Kaspersky, in a written response, rejected the assertion that it is providing services to a “bulletproof” web hosting provider. Here’s the complete statement:
“Kaspersky refutes these allegations as the company neither collaborates with nor has ever cooperated with the service provider in question. The routing through networks managed by Kaspersky does not inherently indicate the provision of the company’s services, as Kaspersky’s automatic system (AS) path could appear as a technical prefix in the network of telecom providers it collaborates with to offer its DDoS services.”
“Kaspersky places great emphasis on conducting business ethically and ensuring that its products are employed for their intended purpose of delivering cybersecurity protection. The company is presently investigating the matter to notify the entity whose network potentially acted as a transit point for a ‘bulletproof’ web hosting provider so that the necessary actions can be taken.”
Kaspersky commenced sales of antivirus and security software in the United States in 2005, and the company’s malware researchers have received recognition from the security community for numerous significant findings over the years. However, in September 2017, the Department of Homeland Security (DHS) prohibited U.S. federal agencies from utilizing Kaspersky software and mandated its elimination within 90 days.
Cybersecurity journalist Kim Zetter highlighted that in 2017, DHS did not provide specific reasoning for its ban, but the media quoted unnamed government officials discussing two incidents. Zetter wrote:
According to one account, an NSA contractor developing offensive hacking tools for the intelligence agency had Kaspersky software on his personal computer, where he was developing the tools, and the software flagged the source code as malicious and extracted it from his system, as is the design of antivirus software. A second account alleged that Israeli operatives caught Russian state hackers utilizing Kaspersky software to scan customer systems for U.S. secret files.
Kaspersky rebutted allegations of any use of its software to scan for confidential data on clients’ devices and asserted that the tools on the NSA worker’s system were identified in the same manner that all antivirus software isolates files deemed suspicious for analysis. Upon discovering that the code detected by its antivirus software on the NSA employee’s system was not malicious software but developmental source code by the U.S. government for its hacking operations, CEO Eugene Kaspersky ordered the deletion of the code.
Last year, the U.S. Commerce Department prohibited the sale of Kaspersky software in the U.S. effective July 20, 2024. U.S. officials argued that the ban was necessary because Russian legislation mandates domestic corporations to comply with all official investigations, potentially enabling the Russian government to compel Kaspersky to clandestinely collect intelligence on its behalf.
Data on phishing collected last year by Interisle Consulting Group scrutinized hosting networks based on their size and density of spambot hosts, and indicated that Prospero possessed a much higher spam score compared to any other provider.
AS209030, managed by Kaspersky Lab, is providing connectivity to the bulletproof host Prospero (AS200593). Image: cidr-report.org.
The reason behind Kaspersky offering transit to Prospero remains ambiguous. Doug Madory, head of Internet analysis at Kentik, observed that routing records display the partnership between Prospero and Kaspersky commencing in early December 2024.
Madory noted that Kaspersky’s network seems to be hosting several financial entities, including Russia’s largest—Alfa-Bank. Kaspersky offers services to aid clients in shielding against distributed denial-of-service (DDoS) attacks, and Madory suggested that Prospero could merely be procuring this protection from Kaspersky.
However, as per Zach Edwards, a senior threat researcher at the security company Silent Push, if that is the scenario, it does not alleviate the situation.
“In certain aspects, providing DDoS protection to a well-known bulletproof hosting provider may actually be more detrimental than simply permitting them to connect to the rest of the Internet through your network,” Edwards remarked.
About Author
