13 November 2024
Cloaking for disinformation and online scams
Doppelganger makes use of multiple domain redirections to promote their disinformation campaigns. The different stages of the redirection have been described in our previous research under the acronym FIKED. In a nutshell, the promotion of the fake articles is possible because the web browser jumps automatically from one domain to another until the reader arrives to the final destination where the content is delivered.
Social media platforms mostly rely on automated processes to detect fraudulent content in their platforms. These well crafted domain redirections have the main purpose of bypassing social media moderation by providing different content (webpages) to different type of readers (audiences). The ultimate goal is to ensure that publications or advertisements remains in the platforms as long as possible and only the targeted audience gets the intended content.
For the past two years we have studied the front domains used by the Russian disinformation also known as “Doppelganger”. We have studied the infrastructure hosting, the domain names and what other types of content were distributed in the very same infrastructure.
This forensic investigation was initially intended to focus on the front domains used by Doppelganger and to gain an understanding of which service providers that were mainly used for the redirection infrastructure. The discovery of the cloaking service Cloaking refers to the practice of presenting different content or information to users and search engines, typically to manipulate rankings, mislead, or achieve malicious objectives. used by Doppelganger led us to a wider network of actors involved in several types of scams and cyber criminal activities as the traffic distribution system VexTrio VexTrio is a sophisticated cybercriminal operation that functions as a Traffic Distribution System (TDS). Active since at least 2017, it collaborates with over 60 affiliates to distribute malicious content through a vast network of more than 70,000 compromised websites..
What runs the Front domains?
It is well understood that the F-domains of Doppelganger and other malicious campaigns are operated behind a cluster of front-proxies.
Although the Doppelganger domains initially were operating in very few IP addresses (including the IP address 185.172.128[.]161 of TNSECURITY / EVILEMPIRE), as more research about Doppelganger was made public, the F-domains started to show in proxies located in other ASN directly or indirectly associated with Aeza International.
AS216309 EVILEMPIRE-AS/TNSECURITY AS215590 DPKGSOFT-AS AS215428 MYKYTASKOROB AS198981 NETSHIELD 1CENTHOST AS207957 SERVHOST AS216127 NUXTCLOUD
After Qurium’s research was published on 11 July 2024 (“How Russia uses EU companies for propaganda”) a set of events triggered the movement of the front proxy infrastructure. The movement was the result of the decision of Aeza International to shutdown its bullet proof hosting providers Lethost and Sunhost on 24 July 2024 followed by the decision of upstream provider Datapacket to stop providing upstream connectivity to Aeza and associates on 31 July 2024.
As many ASNs vanished new front proxies were deployed and during August 2024, the front-end infrastructure moved to:
AS44477 STARK INDUSTRIES SOLUTIONS LTD AS48090 PPTECHNOLOGY LIMITED AS214417 Andrii Hrosh (1CENT) AS399629 BL Networks AS42624 SWISSNETWORK02 (*)
As new proxies were deployed, new domains of Doppelganger were also advertised but we also discovered that that the very same new proxies were capable of redirecting old Doppelganger domains advertised weeks or months ago.
This finding made us believe that the front proxies of Doppelganger were in fact operating behind a set of “hidden” common backend servers.
Specific signatures
There is a specific set of characteristics of the F-proxies of Doppelganger that make them distinctive:
- Antibot capability: F-proxies implement a set of methods to ensure that real readers are behind the requests and moderation bots used in social media platforms are getting redirected to other content.
- Cloaking: F-proxies implement different re-directions depending on the type of visitors and/or infrastructure.
- Specific top level domains: F-proxies often operated in very specific top level domains as .sbs or .top
With this in mind we had a strong suspicion that our initial architecture that identified 3 redirections (FI-KE-D) had in fact another hidden step, a hidden set of backend servers for the front domains that we coined “H” (F-H-I-KE-D).
The “H” redirection methods
Using the data collected from almost 3,000 domain names announced by Doppelganger and 250,000 domain names advertised in the same infrastructure we classified the domain redirection in five main methods:
- HTTP 302
- HTTP meta HTML
- Obfuscated Javascript
- Iframes
- Forms
The analysis of the obfuscated Jacascript used in the first domain redirection provided us a good signature to identify other websites likely connected with a domain redirection service.
pattern = r'decodeURIComponent\(escape\(r\)\)}\("([^"]+)",(\d+),"([^"]+)",(\d+),(\d+),(\d+)\)'
A search for services in black hat forums that provide domain redirection, antibot capabilities and domain cloaking gave us a few candidates.
All these features could be found in the Redirect.pro (Kehr.io) service advertised in the forum FB-Killa (Facebook Killer).
Kehr Cloaking Service
Two years ago, the YouTube user “wertock1591” released a video titled “Настройка редиректа” that provided us with a good overview of what Redi-rect{.}ru (Kehr.io) provided as a service. The service is advertised in several forums as capable of bypassing both manual and automatic moderation of social media platforms.
Kehr{.}io provides a traffic distribution system (TDS) and a redirection service. Furthermore Kehr also has a market place to lease domain names.
The domain leasing service associated with Kehr.io runs in the domain “dmarket{.}top”. Kehr provides re-directions for both domains that are leased from their “Dmarket” or for domains purchased or leased elsewhere. The domain market place also uses the domains:
kehr[.]domains dmarket[.]top dmarket[.]top dmarket[.]cloud
Customers are also given the choice to point the domains to Kehr operated front IP addresses or to point to any IP addresses under the control of the customer.
In summary, the visible front proxy infrastructure of Kehr{.}io that redirects traffic to the (H)idden backend servers of the cloaking service is composed of two types of IP infrastructures:
- Native: IPs operated by the cloaking service.
- Private IP: IPs operated by the customer that runs its own VPSs. The customer is responsible to install a script provided by Kehr{.}io.
Domains leased from Dmarket or domains brought by their customers can be pointed to any type of IP addresses.
An installation script for their customers
For those that want to operate its own IP infrastructure, Kehr provides a script to install a reverse proxy (haproxy) configured in both HTTP(80) and TCP mode for HTTPS connections.
The script sets a reverse proxy to three hidden (H) backends:
193.233.254[.]79 AS215826 Partner-Hosting-LTD
77.221.132[.]211 AS216139 IRONHOST
95.164.9[.]215 AS44477 STARK-INDUSTRIES
One the system is configured, Kehr monitors if the domains remain reachable using infrastructure at French provider OVH.
94.23.148[.]111 AS16276 OVH 5.196.154[.]99 AS16276 OVH 5.196.154[.]98 AS16276 OVH 54.37.86[.]182 AS16276 OVH
Doppelganger and Kehr proxy mobility
Once we discovered that Kehr was used to operate the front-end domains of Doppelganger we reconfirmed that Doppelganger as client of Kehr always used its own servers (VPS).
The following graphs shows inside of each circle, the number of IP addresses advertising Kehr{.}io domains associated to each ASN. We estimated that in the period of 4 months, from the 180 IP addresses running Kehr, 40% have been used by Doppelganger.
Who operates Kehr.io?
Together with the German non-profit investigative newsroom Correctiv (find Correctiv’s investigation here) Qurium traced back Kehr to the project “RediBot” (2017) when it was using the domain name redi-rect[.]ru. The service that provides the means to bypass social media moderation was advertised in different forums by the users “Warcon” and “Rommort82”.
Warcon web-studio was a web design company run by two cousins based on Teplodar, a small city associated to the Odesa Nuclear Power Plant (Odesa NPP) that was never completed due to safety concerns following the Chernobyl disaster in 1986.
Warcon.com[.]ua was hosted in the local operator AS197131 (Ketnet Telecom/Ua-cat) until 2014.
During late 2017 the project was renamed to “Kehr” using the domain kehr.redi-rect[.]ru until 2022. In 2022, the project dropped the domain redi-rect.ru and was re-branded as “Kehr.io” announcing its services in forums as Fb-killa and establishing partnerships with other groups that automate (spam) campaigns in Telegram as “Telegram Gods” or proxy providers as “Asocks”.
In late 2014 one of the members of Warcon created “Rocket-Team” a business advertising SEO services including traffic optimization for social media.
Kehr is currently used to cloak domains used in hundreds of types of scams including crypto, gambling and online dating services. The scams are advertised in social media, Telegram or promoted in large mail spam campaigns.
redirect{.}pro redi-rect{.}ru kehr{.}io dmarket{.}top
The Dating Scam connection
From October 2023 to July 2024, hundreds of Doppelganger front domains were advertised from the bullet proof hosting provider Lethost using the IP address 185.172.128[.]161.
Lethost announced its network using the autonomous system AS216309 using the names EVILEMPIRE and TNSECURITY. Lethost hosting service used infrastructure in Germany to operate, which included infrastructure from Aurologic GmbH as upstream provider and physical machines rented from Hetzner. The servers that Lethost provided to their customers were rented VPSs from Hetzner in which their network traffic was tunneled to the Internet via Aurologic GmbH.
Doppelganger administrators configured a Kehr private proxy in 185.172.128[.]161 as the first entry point of a chain of domain redirections. The Lethost Kehr private proxy was used to promote several types of scams. We looked into what other type activities were promoted from the very same server and we found scams aimed to steal crypto wallets and a large number of domains dedicated to promote “Online Dating” websites.
“The loveme”
In the EVILEMPIRE Kehr proxy operated by Doppelganger we found dozens of domains names used to drive to traffic to a “loveme” pre-landing page for dating services. The domains included a very set of distinctive patterns:
- Pre-Landing page: The domains redirected to a pre-landing page hosted at 185.155.184[.]33. The IP is associated to C41.CH SAGL AS-6898 and likely operating from a datacenter in Chiasso, Lugano.
- Tracking Parameters: Parameters
u=bqkpd0x
ando=xtc0tv6
were used in the domains. Such parameters are used by tracking tools to identify specific marketing campaigns and affiliates.
The pre-landing page
When we looked into C41.CH (Internet ONE SRL) infrastructure (AN32937-RIPE) we discovered a set of autonomous systems that hosted similar types of domains.
AS6898 AS5398 SA
AS5398 AS5398 SA
AS203639 TEKNOLOGY SA
AS199077 SIONDEV AG
During our investigation we discovered that TEKNOLOGY SA, a company run by Giulio Vittorio Leonardo Cerutti hosts the mail services of several dating websites promoted via Kehr cloaking service.
Soon after, we found that in the very same infrastructure there are two marketing services responsible of promoting and driving traffic to a “Dating vertical”: lospollos[.]com and tacolo[.]co.
LosPollos and TacoLoco are services associated to Adspro Group, (Adspro[.]eu) a company registered in the Czech Republic.
The company also runs Adspro Media (ООО АДСПРО МЕДИА) in Russia and several proxy companies in Switzerland. Company information available in the website of “lospollos[.]com” and “tacolo[.]co” states that the content of the sites is copyrighted by Bytecore AG and SkyForge Digital AG. Both Swiss companies are run by the owner of hosting and development company Teknology SA: Giulio Cerutti.
This is not the only piece of evidence that links Giulio Vittorio Leonardo Cerutti with the Adspro Group. Company information shows that he shares directorship in several companies with founding members of the advertisement company: Dzmitry Laptsevich, Andrew Kunitsa and Igor Voronin.
According to their website: “Adspro specializes in the development of unique AdTech services and our own proprietary SaaS platform to serve products to an international audience”. AdsPro Group has several affiliated platforms, such as LosPollos, TacoLoco, and Adtrafico that leverage smartlink technology to optimize ad traffic.
The tracking parameters
During our research we found strong evidence that the dating scams links advertised via the Kehr proxy at Evilempire were in fact “smartlinks” of the Adspro service “lospollos”.
Thanks to published research from Infoblox we also managed to link the sites that we have been investigating to a wider cybercriminal network known as VexTrio.
VexTrio operates a traffic distribution system (TDS) that routes compromised web traffic sourced from affiliates, as well as their own infrastructure, to various forms of malicious content. It is known that VexTrio receives traffic from victims of SocGholish and ClearFake.
Let us dive into one of the scams promoted in the same infrastructure used by Doppelganger.
Meet “Meet us media Ltd”
The online dating domains promoted via the Kehr run by Doppelganger were smartlinks provided by “lospollos” to an specific affiliate. The links directed the readers to a “Loveme” style pre-landing page hosted in AS6898 (C41.CH) that redirected to several websites running dating sites operated by a Cyprus registered company “Meet Us Media Ltd”.
With the assistance of the Cyprus research center of the The Organized Crime and Corruption Reporting Project (OCCRP) we learned that “Meet Us Media Ltd” has an outstanding floating charge registered with the corporate registrar in favor of the Paphos, Cyprus registered company Nexxie group Ltd. Nexxie runs a group of companies involved in digital solutions, affiliate marketing, online advertising and online customer support as well as payment referral.
Nexxie Group is run by Norwegian Jan Morten Skaar with a track record of associations to the adult entertainment industry. In the past Skaar run similar activities with his business partner Frode Dale using the UK registered company Polarboot Limited.
During our research we found multiple articles where Meet Us Media Ltd has been flagged as a “love scam” or “dating scam” and one online report that tells that Nexxie is associated to “scam dating”.
Nexxie group operates an affiliate marketing company: ELEVVEN11 LTD that is likely involved in the promotion of their “Meet Us Media Ltd” websites. Other companies of the group include: VDESK LTD, REDWALKING LTD and MERCHSUITE LTD.
Several digital fingerprints available in hundreds of websites coming from the “Loveme” pre-landing page have associations with the following companies:
Hazhtag Media Ou
Chilliboot Ltd
Svippy Limited
NUMBER65 Ltd
Take Two Digital Ltd
Meet Us Media Ltd
Pink Cow Media Ltd
Our findings strongly suggest that Frode Dale, Jan Morten Skaar and the Nexxie group and its investors Apptex Performance B.V are purchasing traffic using Adspro services as “lospollos”.
Conclusions
Qurium can present strong forensic evidence that Kehr{.}io is the redirection and traffic distribution system (TDS) used by Doppelganger front domains.
Kehr is used by dozens of customers that run phishing, malware and other types of malicious campaigns. Kehr does not only provide a system to cloak such domains so the arbitrators of social media can not detect them, but they also operate a market place to lease thousands of domains anonymously.
Furthermore, during six months in late 2023 and 2024, the private Kehr node used by Doppelganger was also promoting dating scams by means of “smartlinks” generated by Adspro service “lospolllos”.
Adspro Group operates its infrastructure in coordination with Swiss hosting providers C41 and Teknology SA from Lugano, Switzerland.
Finally, there is a strong correlation between the smartlinks generated by “lospollos” and its hosting infrastructure with criminal activity associated to VexTrio.