Notorious Malware, Spam Host "Prospero" Moves to Kaspersky Lab

Notorious Malware, Spam Host "Prospero" Moves to Kaspersky Lab

In a shocking turn of events, one of the most notorious providers of abuse-friendly "bulletproof" web hosting for cybercriminals has started routing its operations through networks run by the Russian antivirus and security firm Kaspersky Lab. This development raises significant concerns about the potential collaboration between two entities that have been at the forefront of cybersecurity efforts.

Prospero OOO, a Russia-based service provider, has long been a persistent source of malicious software, botnet controllers, and a torrent of phishing websites. Last year, French security firm Intrinsec detailed Prospero's connections to bulletproof services advertised on Russian cybercrime forums under the names Securehost and BEARHOST.

Bulletproof hosts are so named when they earn or cultivate a reputation for ignoring legal demands and abuse complaints. And BEARHOST has been cultivating its reputation since at least 2019. "If you need a server for a botnet, for malware, brute, scan, phishing, fakes and any other tasks, please contact us," BEARHOST's ad on one forum advises. "We completely ignore all abuses without exception, including SPAMHAUS and other organizations."

Intrinsec found Prospero has courted some of Russia's nastiest cybercrime groups, hosting control servers for multiple ransomware gangs over the past two years. Intrinsec said its analysis showed Prospero frequently hosts malware operations such as SocGholish and GootLoader, which are spread primarily via fake browser updates on hacked websites and often lay the groundwork for more serious cyber intrusions – including ransomware.

BEARHOST prides itself on the ability to evade blocking by Spamhaus, an organization that many Internet service providers around the world rely on to help identify and block sources of malware and spam. Earlier this week, Spamhaus said it noticed that Prospero was suddenly connecting to the Internet by routing through networks operated by Kaspersky Lab in Moscow.

Kaspersky did not respond to repeated requests for comment. However, it's worth noting that Kaspersky began selling antivirus and security software in the United States in 2005, and the company's malware researchers have earned accolades from the security community for many important discoveries over the years. But in September 2017, the Department of Homeland Security (DHS) barred U.S. federal agencies from using Kaspersky software, mandating its removal within 90 days.

Cybersecurity reporter Kim Zetter notes that DHS didn't cite any specific justification for its ban in 2017, but media reports quoting anonymous government officials referenced two incidents. Zetter wrote: "According to one story, an NSA contractor developing offensive hacking tools for the spy agency had Kaspersky software installed on his home computer where he was developing the tools, and the software detected the source code as malicious code and extracted it from his computer, as antivirus software is designed to do."

A second story claimed that Israeli spies caught Russian government hackers using Kaspersky software to search customer systems for files containing U.S. secrets. Kaspersky denied that anyone used its software to search for secret information on customer machines and said that the tools on the NSA worker's machine were detected in the same way that all antivirus software detects files it deems suspicious and then quarantines or extracts them for analysis.

Once Kaspersky discovered that the code its antivirus software detected on the NSA worker's machine were not malicious programs but source code in development by the U.S. government for its hacking operations, CEO Eugene Kaspersky says he ordered workers to delete the code. Last year, the U.S. Commerce Department banned the sale of Kaspersky software in the U.S. effective July 20, 2024.

U.S. officials argued the ban was necessary due to concerns about potential espionage and data theft. "In some ways, providing DDoS protection to a well-known bulletproof hosting provider may be even worse than just allowing them to connect to the rest of the Internet over your infrastructure," said Zach Edwards, a senior threat researcher at the security firm Silent Push.