We have received a community report about another interest provider: Tolder LLC. This provider has been active for the past six months hosting several malicious websites.

What do we know about Tolder?

According to public information in RIPE records, Tolder serves customers from Ukraine, Moldova and Russia.

The official registry of the company can be found at the website nalog.ru. Tolder is a limited liability company registered with the name: ОБЩЕСТВО С ОГРАНИЧЕННОЙ ОТВЕТСТВЕННОСТЬЮ “ТОЛДЕР”

A review of their registration papers shows the following list of activities:

49.41.3 Аренда грузового автомобильного транспорта с водителем
49.41.3 Rental of trucks with driver

41.10 Разработка строительных проектов
41.10 Development of building projects

41.20 Строительство жилых и нежилых зданий
41.20 Construction of residential and non-residential buildings

45.11.1 Торговля оптовая легковыми автомобилями и легкими
автотранспортными средствами
45.11.1 Wholesale trade of cars and light motor vehicles

45.40 Торговля мотоциклами, их деталями, узлами и принадлежностями;
техническое обслуживание и ремонт мотоциклов
45.40 Trade in motorcycles, parts and accessories; maintenance and
repair of motorcycles

45.40.1 Торговля оптовая мотоциклами, их деталями, узлами и принадлежностями
45.40.1 Wholesale trade of motorcycles and related parts and accessories

46.90 Торговля оптовая неспециализированная
46.90 Wholesale trade in specialized stores

49.20.9 Перевозка прочих грузов
49.20.9 Transportation of other freight

Tolder LLC registered the company with a start capital of 200000 RUB (~3350 EUR) something unusual for similar shell companies that register in Russia that normally do it with the bare minimum of 10000 RUB.

Tolder is registered in the names of ПАНЬКОВ ИГОРЬ АЛЕКСЕЕВИЧ (founder) and СИДОРКИН СЕРГЕЙ ВАСИЛЬЕВИЧ (director)

The legal address from the registration documents is Prospekt Mira. 102 p. 26 floor 2 room 26. There are at least 56 more companies in the same address:

“ТОЛДЕР” Регион Москва Юридический адрес 129626,
город Москва, проспект Мира, дом 102 строение 26, эт 2 комн 26

All organizations registered in the same address can be found here

When we tried to reach the company by phone, +74953084604, a robot informed us that the phone number was not in used and available for purchase.

 

Bad traffic from day one

The company was registered in Russia the 10th October 2016 and soon after started to deliver “good rankings” of malicious activity.

For example the prefix 185.169.231.0/24 was announced first time the 22nd of November from AS206976 and immediately after, spam and other malicious campaigns started.

 

Tracking the Tolder IP space

Tolder LLC is a newly register LIR from early September 2016 with the IP allocation: 185.169.228.0 – 185.169.231.255.

The following route objects are registered in RIPE for that space or related to Tolder LLC.

inetnum: 185.169.228.0 - 185.169.231.255
inetnum: 185.169.229.0 - 185.169.229.255
inetnum: 185.169.230.0 - 185.169.230.255
inetnum: 212.92.127.0 - 212.92.127.255 (*) Not LIR
inet6num: 2a0a:6f00::/29

• 185.169.228.0 – 185.169.231.255, CH, Switzerland, (TOLDERNET)
• 185.169.229.0 – 185.169.229.255, GI, Gibraltar, Toldernet-GI, AS206975 (DNRNET) via Contabo and DDoS-guard.
• 185.169.230.0 – 185.169.230.255, CW, Buena Vista Data space Santa Maria, AS43090 via AS6718 Nav Telecom / GTS Romania upstreams (DNRNET)

• 185.169.231.0 – 185.169.231.255, RU, using AS206976 via AS198371 Ninet RS as upstreams.

There are two more prefixes associated to Tolder: the IPv6 prefix that has never been announced and the prefix 212.92.127.0/24.

Who is behind 212.92.127.0/24?

The history behind this network will bring us back to some known actors. Old records from 212.92.127.0/24 reveal that the network was associated to “Maxi Dedicated” and the “Sindicate Group”. As reported in this website the “Sindicate Group” and the “Kepler Association of House Owners” were known to host the VDOS stress testing-booter backend infrastructure.

The 212.92.127.0/24 space was delegated from RU-CEA  AS12790 to Tolder LLC the 11th of November 2016.

Of course, the fact that Tolder LLC, a newly formed company, runs the very same IP space that in the past was associated to Antonio Jordan (Sindicate Group) PB19075-RIPE and LP10651-RIPE Lokis Petkis (Maxided) keep us wondering… Is this just circumstantial? Is it just a lucky coincidence?

 

inetnum: 212.92.127.0 - 212.92.127.127
netname: STORAGECG
org: ORG-EA1008-RIPE
country: GB
admin-c: LP10651-RIPE
tech-c: LP10651-RIPE
status: ASSIGNED PA
mnt-by: dm-sindicategroup-1-mnt
mnt-by: mnt-maxided
created: 2016-07-28T23:32:06Z
last-modified: 2016-08-28T14:32:27Z
source: RIPE
mnt-routes: mnt-maxided
mnt-lower: dm-sindicategroup-1-mnt

organisation: ORG-EA1008-RIPE
org-name: Emma-host
remarks: www.emmaneangel.com
org-type: OTHER
address: Lithuania,Sostena, UAB
address: Ukmerges g. 280, LT-06115 Vilnius
phone: +37066105608
abuse-c: ACRO1124-RIPE
mnt-ref: mnt-maxided
mnt-by: mnt-maxided
created: 2016-08-28T14:31:56Z
last-modified: 2016-08-28T14:57:41Z
source: RIPE # Filtered

Sindicate Group and Maxided contact details

A review of the evidence suggests that the Sindicate Group and Maxided do not only share modus operandi but upstream providers and some historical contact details. For example, Lokis Petkis uses the same telephone number +37037247921 that the contact details of the Sindicate Group.

Note: If you do not know who is the Sindicate Group, check out our old article here

person: Lokis Petkis
abuse-mailbox: info@emmaneangel.com
address: Kaunas, Lithuania, Kestucio G 39
phone: +37037247921
nic-hdl: LP10651-RIPE
mnt-by: mnt-maxided
created: 2016-06-25T08:51:36Z
last-modified: 2016-08-28T13:54:45Z
source: RIPE

The “AS23456 announcement”

The use of transitional AS Number “23456” to announce a prefix is not new to us. It seems that “Tolder” also uses AS23456 in his announcements, further more, Tolder uses the very same upstream provider in the Netherlands that “Sindicate Group” used in the past: “Nforce Entertainment”. Another lucky coincidence?

The “Sindicate Group”, was operating the LIR-allocated prefix 185.130.4.0/22, until announcements stopped in November 2016. Is Tolder, the Sindicate Reloaded?

“We are high bandwidth provider” without a webpage

One of the network object remarks of Tolder is “We are a high bandwidth network provider offering bandwidth solutions worldwide” that remind us the very same glorious remark of Ecatel aka Quasi aka Novogara.

 

Meet Tolder and Dnr!

Toldernet.com and Dnrnet.com are two of the domains associated with the maintainers of their infrastructure. Both domains lack any website. So who is operating Tolder?

When searching from Dnrnet, we found out that DNR seems to make reference to ДНР, Донецкая Народная Республика. We wonder if this domain makes reference to Donetsk Republic Network.

Dmitriy Kaplanov, Tolder linked with Kepler (Khlynovka-1 Association of property owners)

One interesting finding is the use of the e-mail noc@dnrnet.com to register several phishing related domains as trafficanalyzer.biz or upsbroker.com. The domain is registered in the name of an old actor “Dmitriy Kaplanov”. Who is Dmitriy Kaplanov? The person associated to “AS203466 Kepler”, the Russian fake house owner’s association that we discover in another article at Spoofit.org. 

 
Meet Pavel Bandaryk, another identity of the Sindicate Group

Since 2015, we can see different identifies associated to sindicategrourp@gmail.com, one of them is Pavel Bandaryk that during the first six months of 2016, operated AS203734

person: Pavel Bandaryk
address: Logoyskiy trakt st., n. 27/38, Minsk, Respublic of Belarus
phone: +31546744017
e-mail: support@skylakegroup.biz
nic-hdl: PB19010-RIPE
mnt-by: pin-dx
created: 2015-11-05T20:42:44Z
last-modified: 2016-03-25T13:05:38Z
source: RIPE

Mirai C2, Credit Card Fraud, AdGholas  you name it…

A few examples of the campaigns hosted at Tolder include credit card fraud as documented by Sucuri or hosting Mirai’s command and control.

During our review of Tolder, we found an interesting domain name rep.securityupdates.us, this domain was hosted at 212.92.127.146 in November 2016. This domain have been used by Mirai operator “bestbuy” as command and control.

 

 

(Update 2nd March) In the same ip network, it could be found the domain biicqwfvqiec.click, a domain used in AdGholas malware campaigns.

Tolder, Sindicate Group, DepFile, Host-Shield, Kepler… “Maxided”

Tolder hosts maxided.com servers and have advertised his services in the past with the name host-shield. His services have been used by projects as VDOS to host infrastructure to run denial of service attacks.

Who runs Maxided?

Maxided, a market place to find servers that allow abusing practices,  is run by Александр Осадчий, Alexandr Osadcii, is also known as “pushlan”. Alexandr runs maxided.com customer portal protected by Cloudflare, with hidden backend servers hosted at AS49981, Wordstream NL.

 

 

 

 

 

Pushlan is interested in 4×4 cars and visits Crimea often. This might explain why Tolder is registered as a “wholesale trade of cars and light motor vehicles”. Alexandr, is born in Moldova the 5th April 1981.

 

Maxided.com

 

Name: Александр Осадчий, Alexandr Osadcii
Country: Moldova
Date of birth: 5th April 1981
Icq: 302713,4333431 
Skype: Pushlan
Gmail: pushlan@gmail.com
Toyota Hilux DLX 4x4: Transnistria Number Plate T 012 HK
Mercedes Vario: Moldova Number Plate GXU 012  
Domains: maxided.com, dot-link.net, dot-link.com, camioncic.com,  osadcii.net, host-shield.net 

 

Spam campaigns and Tolder

An interesting development took place the 21st of March 2017, during almost two days Tolder announced the prefix 170.244.40.0/22 that originally belongs to AS264677 INFORMATICA DE HONDURAS S.A.

Why Tolder  suddenly starts to announce this prefix?  The answer might be in this article from Spamhaus about a group known as “Big Sky Services”

“Big Sky Services is an operation which acquires large amounts of IP addresses through various means, which are then leased to spammers. One of the methods used by Big Sky Services is to partner with a Honduran individual or business that has the ability to obtain IP allocations directly from LACNIC, which are then used to spam.”

One of the company names used to acquire LACNIC IP ranges in Honduras is: INFORMATICA DE HONDURAS S.A.

So it seems that Tolder is also facilitating Spam-type operations upstreaming the Big Sky Services prefix 170.244.40.0/22 as shown in this graph.

 

Closing the circle

The spoofit.org project was born in 2016 to undercover the infrastructure and providers that enable denial of service attacks. After reviewing more than 200 stress testing services, which can be mostly found hosted behind Cloudflare anti-DDOS protection, we traced back several of these services in connection with the VDOS-S stress testing service operated from Israel.

During our research we undercover how actors like Proginter.com have been using VDOS-S infrastructure via their API to support other booters like booter.xyz or stressit.org.

VDOS-S as other stress testing services have been sourcing their attacks using dedicated servers in data centers that route spoofed traffic or permit the generation of thousand of application layer connections to reflect website attacks.

Alexandr Osadcii, Moldovan “entrepreneur” from Maxided has played an important role in such infrastructure setup, operating as interested intermediary of such dedicated servers and their profitable campaigns.  While in the past such servers were using the IP space of their datacenters, Maxided and their business partners decided to scale up their operations and obtain new fresh blocks of IP space from RIPE to keep selling such “offshore” services. Keeping the IP space under control became a key element to ensure that buyers will keep paying.

Companies like the Sindicate Group, Khlynovka-1 Association of property owners or Tolder are examples of such IP harvesting setup. New IP space is periodically obtained for RIPE that systematically is announced in the same data centers with common upstream providers. After three or six months, were the space gets flagged as malicious, a new company associated to the same actors obtains more addresses to continue the operations.