We have received a community report about another interest provider: Tolder LLC. This provider has been active for the past six months hosting several malicious websites.
What do we know about Tolder?
According to public information in RIPE records, Tolder serves customers from Ukraine, Moldova and Russia.
The official registry of the company can be found at the website nalog.ru. Tolder is a limited liability company registered with the name: ОБЩЕСТВО С ОГРАНИЧЕННОЙ ОТВЕТСТВЕННОСТЬЮ “ТОЛДЕР”
A review of their registration papers shows the following list of activities:
49.41.3 Аренда грузового автомобильного транспорта с водителем 49.41.3 Rental of trucks with driver 41.10 Разработка строительных проектов 41.10 Development of building projects 41.20 Строительство жилых и нежилых зданий 41.20 Construction of residential and non-residential buildings 45.11.1 Торговля оптовая легковыми автомобилями и легкими автотранспортными средствами 45.11.1 Wholesale trade of cars and light motor vehicles 45.40 Торговля мотоциклами, их деталями, узлами и принадлежностями; техническое обслуживание и ремонт мотоциклов 45.40 Trade in motorcycles, parts and accessories; maintenance and repair of motorcycles 45.40.1 Торговля оптовая мотоциклами, их деталями, узлами и принадлежностями 45.40.1 Wholesale trade of motorcycles and related parts and accessories 46.90 Торговля оптовая неспециализированная 46.90 Wholesale trade in specialized stores 49.20.9 Перевозка прочих грузов 49.20.9 Transportation of other freight
Tolder LLC registered the company with a start capital of 200000 RUB (~3350 EUR) something unusual for similar shell companies that register in Russia that normally do it with the bare minimum of 10000 RUB.
Tolder is registered in the names of ПАНЬКОВ ИГОРЬ АЛЕКСЕЕВИЧ (founder) and СИДОРКИН СЕРГЕЙ ВАСИЛЬЕВИЧ (director)
The legal address from the registration documents is Prospekt Mira. 102 p. 26 floor 2 room 26. There are at least 56 more companies in the same address:
“ТОЛДЕР” Регион Москва Юридический адрес 129626,
город Москва, проспект Мира, дом 102 строение 26, эт 2 комн 26
All organizations registered in the same address can be found here
When we tried to reach the company by phone, +74953084604, a robot informed us that the phone number was not in used and available for purchase.
Bad traffic from day one
The company was registered in Russia the 10th October 2016 and soon after started to deliver “good rankings” of malicious activity.
For example the prefix 22.214.171.124/24 was announced first time the 22nd of November from AS206976 and immediately after, spam and other malicious campaigns started.
Tracking the Tolder IP space
Tolder LLC is a newly register LIR from early September 2016 with the IP allocation: 126.96.36.199 – 188.8.131.52.
The following route objects are registered in RIPE for that space or related to Tolder LLC.
inetnum: 184.108.40.206 - 220.127.116.11 inetnum: 18.104.22.168 - 22.214.171.124 inetnum: 126.96.36.199 - 188.8.131.52 inetnum: 184.108.40.206 - 220.127.116.11 (*) Not LIR inet6num: 2a0a:6f00::/29
- 18.104.22.168 – 22.214.171.124, CH, Switzerland, (TOLDERNET)
- 126.96.36.199 – 188.8.131.52, GI, Gibraltar, Toldernet-GI, AS206975 (DNRNET) via Contabo and DDoS-guard.
- 184.108.40.206 – 220.127.116.11, CW, Buena Vista Data space Santa Maria, AS43090 via AS6718 Nav Telecom / GTS Romania upstreams (DNRNET)
- 18.104.22.168 – 22.214.171.124, RU, using AS206976 via AS198371 Ninet RS as upstreams.
There are two more prefixes associated to Tolder: the IPv6 prefix that has never been announced and the prefix 126.96.36.199/24.
Who is behind 188.8.131.52/24?
The history behind this network will bring us back to some known actors. Old records from 184.108.40.206/24 reveal that the network was associated to “Maxi Dedicated” and the “Sindicate Group”. As reported in this website the “Sindicate Group” and the “Kepler Association of House Owners” were known to host the VDOS stress testing-booter backend infrastructure.
The 220.127.116.11/24 space was delegated from RU-CEA AS12790 to Tolder LLC the 11th of November 2016.
Of course, the fact that Tolder LLC, a newly formed company, runs the very same IP space that in the past was associated to Antonio Jordan (Sindicate Group) PB19075-RIPE and LP10651-RIPE Lokis Petkis (Maxided) keep us wondering… Is this just circumstantial? Is it just a lucky coincidence?
inetnum: 18.104.22.168 - 22.214.171.124 netname: STORAGECG org: ORG-EA1008-RIPE country: GB admin-c: LP10651-RIPE tech-c: LP10651-RIPE status: ASSIGNED PA mnt-by: dm-sindicategroup-1-mnt mnt-by: mnt-maxided created: 2016-07-28T23:32:06Z last-modified: 2016-08-28T14:32:27Z source: RIPE mnt-routes: mnt-maxided mnt-lower: dm-sindicategroup-1-mnt organisation: ORG-EA1008-RIPE org-name: Emma-host remarks: www.emmaneangel.com org-type: OTHER address: Lithuania,Sostena, UAB address: Ukmerges g. 280, LT-06115 Vilnius phone: +37066105608 abuse-c: ACRO1124-RIPE mnt-ref: mnt-maxided mnt-by: mnt-maxided created: 2016-08-28T14:31:56Z last-modified: 2016-08-28T14:57:41Z source: RIPE # Filtered
Sindicate Group and Maxided contact details
A review of the evidence suggests that the Sindicate Group and Maxided do not only share modus operandi but upstream providers and some historical contact details. For example, Lokis Petkis uses the same telephone number +37037247921 that the contact details of the Sindicate Group.
Note: If you do not know who is the Sindicate Group, check out our old article here
person: Lokis Petkis abuse-mailbox: firstname.lastname@example.org address: Kaunas, Lithuania, Kestucio G 39 phone: +37037247921 nic-hdl: LP10651-RIPE mnt-by: mnt-maxided created: 2016-06-25T08:51:36Z last-modified: 2016-08-28T13:54:45Z source: RIPE
The “AS23456 announcement”
The use of transitional AS Number “23456” to announce a prefix is not new to us. It seems that “Tolder” also uses AS23456 in his announcements, further more, Tolder uses the very same upstream provider in the Netherlands that “Sindicate Group” used in the past: “Nforce Entertainment”. Another lucky coincidence?
The “Sindicate Group”, was operating the LIR-allocated prefix 126.96.36.199/22, until announcements stopped in November 2016. Is Tolder, the Sindicate Reloaded?
“We are high bandwidth provider” without a webpage
One of the network object remarks of Tolder is “We are a high bandwidth network provider offering bandwidth solutions worldwide” that remind us the very same glorious remark of Ecatel aka Quasi aka Novogara.
Meet Tolder and Dnr!
Toldernet.com and Dnrnet.com are two of the domains associated with the maintainers of their infrastructure. Both domains lack any website. So who is operating Tolder?
When searching from Dnrnet, we found out that DNR seems to make reference to ДНР, Донецкая Народная Республика. We wonder if this domain makes reference to Donetsk Republic Network.
Dmitriy Kaplanov, Tolder linked with Kepler (Khlynovka-1 Association of property owners)
One interesting finding is the use of the e-mail email@example.com to register several phishing related domains as trafficanalyzer.biz or upsbroker.com. The domain is registered in the name of an old actor “Dmitriy Kaplanov”. Who is Dmitriy Kaplanov? The person associated to “AS203466 Kepler”, the Russian fake house owner’s association that we discover in another article at Spoofit.org.
Meet Pavel Bandaryk, another identity of the Sindicate Group
Since 2015, we can see different identifies associated to firstname.lastname@example.org, one of them is Pavel Bandaryk that during the first six months of 2016, operated AS203734
person: Pavel Bandaryk
address: Logoyskiy trakt st., n. 27/38, Minsk, Respublic of Belarus
Mirai C2, Credit Card Fraud, AdGholas you name it…
A few examples of the campaigns hosted at Tolder include credit card fraud as documented by Sucuri or hosting Mirai’s command and control.
During our review of Tolder, we found an interesting domain name rep.securityupdates.us, this domain was hosted at 188.8.131.52 in November 2016. This domain have been used by Mirai operator “bestbuy” as command and control.
(Update 2nd March) In the same ip network, it could be found the domain biicqwfvqiec.click, a domain used in AdGholas malware campaigns.
Tolder, Sindicate Group, DepFile, Host-Shield, Kepler… “Maxided”
Tolder hosts maxided.com servers and have advertised his services in the past with the name host-shield. His services have been used by projects as VDOS to host infrastructure to run denial of service attacks.
Who runs Maxided?
Maxided, a market place to find servers that allow abusing practices, is run by Александр Осадчий, Alexandr Osadcii, is also known as “pushlan”. Alexandr runs maxided.com customer portal protected by Cloudflare, with hidden backend servers hosted at AS49981, Wordstream NL.
Pushlan is interested in 4×4 cars and visits Crimea often. This might explain why Tolder is registered as a “wholesale trade of cars and light motor vehicles”. Alexandr, is born in Moldova the 5th April 1981.
Name: Александр Осадчий, Alexandr Osadcii Country: Moldova Date of birth: 5th April 1981 Icq: 302713,4333431 Skype: Pushlan Gmail: email@example.com Toyota Hilux DLX 4x4: Transnistria Number Plate T 012 HK Mercedes Vario: Moldova Number Plate GXU 012 Domains: maxided.com, dot-link.net, dot-link.com, camioncic.com, osadcii.net, host-shield.net
Spam campaigns and Tolder
An interesting development took place the 21st of March 2017, during almost two days Tolder announced the prefix 184.108.40.206/22 that originally belongs to AS264677 INFORMATICA DE HONDURAS S.A.
Why Tolder suddenly starts to announce this prefix? The answer might be in this article from Spamhaus about a group known as “Big Sky Services”
“Big Sky Services is an operation which acquires large amounts of IP addresses through various means, which are then leased to spammers. One of the methods used by Big Sky Services is to partner with a Honduran individual or business that has the ability to obtain IP allocations directly from LACNIC, which are then used to spam.”
One of the company names used to acquire LACNIC IP ranges in Honduras is: INFORMATICA DE HONDURAS S.A.
So it seems that Tolder is also facilitating Spam-type operations upstreaming the Big Sky Services prefix 220.127.116.11/22 as shown in this graph.
Closing the circle
The spoofit.org project was born in 2016 to undercover the infrastructure and providers that enable denial of service attacks. After reviewing more than 200 stress testing services, which can be mostly found hosted behind Cloudflare anti-DDOS protection, we traced back several of these services in connection with the VDOS-S stress testing service operated from Israel.
During our research we undercover how actors like Proginter.com have been using VDOS-S infrastructure via their API to support other booters like booter.xyz or stressit.org.
VDOS-S as other stress testing services have been sourcing their attacks using dedicated servers in data centers that route spoofed traffic or permit the generation of thousand of application layer connections to reflect website attacks.
Alexandr Osadcii, Moldovan “entrepreneur” from Maxided has played an important role in such infrastructure setup, operating as interested intermediary of such dedicated servers and their profitable campaigns. While in the past such servers were using the IP space of their datacenters, Maxided and their business partners decided to scale up their operations and obtain new fresh blocks of IP space from RIPE to keep selling such “offshore” services. Keeping the IP space under control became a key element to ensure that buyers will keep paying.
Companies like the Sindicate Group, Khlynovka-1 Association of property owners or Tolder are examples of such IP harvesting setup. New IP space is periodically obtained for RIPE that systematically is announced in the same data centers with common upstream providers. After three or six months, were the space gets flagged as malicious, a new company associated to the same actors obtains more addresses to continue the operations.