King Servers, “DIe$el” and the Ransomware and Exploit kits business

Have you ever heard of King Servers? Most likely. Have you heard of SecretsLine? Maybe not. Again not a good combo. King Servers is a hosting company, providing dedicated servers, VPS in the USA, NL, and Russia. A person of interest going by the handle “King Servers,” and uses the email address ivan@king-servers[.]com is part of a few underground forums.

In 2009, this person advertised on a forum his services under the handle “DIe$el.” Later on, “DIe$el” started to use the handle “King Servers” around 2015 advertising the same services.

Around that time, “King Servers” made an announcement that he has taken over the online service called SecretsLine VPN services.

The whois information of the domain king-servers[.]com shows that it was created on June 15, 2008. It has a private whois information now, but it wasn’t when the domain was first registered. Below the original information from the whois for the domain king-servers[.]com confirming the identity of the person running this company.

Tech Name: VLADIMIR FOMENKO
Tech Organization: DIESEL NETWORK
Tech Street: MACSIMOVOY 5
Tech City: BIYSK
Tech State/Province: 
Tech Postal Code: 659303
Tech Country: RU
Tech Phone: +7.9619914343
Tech Phone Ext: 
Tech Fax: +7.9619914343
Tech Fax Ext: 
Tech Email: DIESELLTD@GMAIL[.]COM
Name Servers: ns1.king-servers[.]com
Name Servers: ns2.king-servers[.]com

Pivoting off the email address “dieselltd@gmail[.]com” we found 91 domains. Pivoting off the name Vladimir Fomenko we found three additional email addresses:

12vf@mail[.]ru – linked to Skype user “pifon3257899”

12vf@mail[.]ru is also linked to an FB user https://www.facebook.com/profile.php?id=100000641940861

The email address 12vf@mail[.]ru and the Skype user pifon3257899 are also linked to an Alexander Litvinov:

Screen Shot 2017-02-04 at 8.35.41 AM.png

Interestingly, the ICQ number 3257899 refers to a Vladimir and not to Alexander Litvinov.

Screen Shot 2017-02-04 at 8.36.58 AM.png

The email address vladimirfomenko@gmail[.]com is linked to a Skype user named tatianafomenko.

The email address fomenkovv84@gmail[.]com doesn’t relate to anything.

We found the following FB account linked to the email address dieselltd@gmail[.]com and hasn’t been active since 2012:
https://www.facebook.com/vladimir.fomenko.54?lst=100002608588229%3A100000524472532%3A1486163778

Screen Shot 2017-02-04 at 2.05.13 PM.png

On underground forum, Vladimir Fomenko or one of his employee uses or used several handles over the past years such as “King Servers”, “DIe$el”, “dieselltd”, “alibababa”, “goga”, and “cruler” who was reported as scamming other members through his website bucksowners[.]com buying adult traffic.

They also uses the following ICQ numbers to run his business:
– ICQ sales, billing: 8882596
– Tech Support: 6495995

Several articles discussed the involvement of King Servers in the DNC hack without real evidence. If someone used one or multiple King Servers IP addresses, does it make that person Russian? Anyone could do that, state-sponsored actors or not it doesn’t really matter at that point. Does it make King Servers a state sponsored actor? It’s difficult to judge his involvement but we can say that he’s not very good at checking what’s going on around his network. Several IPs or domains involved and confirmed belonging to APT28 were hosted in the US, does it make it an inside job.

King Servers has a heavy presence on underground forums advertising his services. Some Russian media outlets mentioned some ties between Mr. Fomenko and Mr. Vrublevsky. Is this enough to tie them up to APT28? I’d say that they are a possible bulletproof hoster to some extent and having Mr. Vrublevsky as a contact is never a good sign no matter what Mr.Vrublevsky think or might say. We have evidence that in 2011 King Servers, at that time using the handle”DIe$el” contacted “bestav” for a possible partnership known for running the largest fakeAV networks on an underground forum. He’s had also another quick conversation with another person regarding exploit kits.

Interestingly, we find several references to ransomware (what kind of replaced fake AV on the scene), exploit kits and financial malware on King Servers networks.

Here is the level of malicious activity found on King Servers’ networks:

 

screen-shot-2017-02-08-at-9-41-07-am

 

Vladimir Fomenko, runs another company called SecretsLine VPN, a company offering VPN services since 2007. He apparenlty took it over from the original owner Aleksander Klimenko. Aleksander advertised his services on underground forums and Vladimir continued the trend as well. Vladimir provides hostings and vpn anonymity to members of underground forums and enables them to run their businesses.

References:

https://gosint.wordpress.com/2017/01/31/the-moscow-four-what-story-hides-behind-the-arrest-of-russias-top-cybercrime-investigators/
https://rg.ru/2016/09/28/reg-sibfo/zhitel-altaia-ne-podozreval-chto-s-ego-serverov-shli-kiberataki-na-ssha.html
https://www.novayagazeta.ru/articles/2017/01/26/71296-troyanskiy-kod

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s