Blog

Adversary On The Defense: ANTIBOT.PW

Background

Across the vast landscape of attackers and defenders, it’s common to see actors and teams playing both sides for fun and profit. We mostly see this within mature red teams and APT groups, so it’s noteworthy to observe this dynamic within the context of a smaller group or even individual actors.

In this blog, we will cover the lifecycle of a commercial web traffic filtering service originating from a GitHub project and how it found success within phishing operations. We’ll also discuss the evolution of the tool into a commercial platform offering under new branding.

The tool in question, known as Antibot, was designed to serve as a web traffic filtering script for websites to differentiate real users from bots. Such tooling is fairly common with the current state of the internet as we know it; the plethora of existing crawlers and scraping activity occurring regularly makes such tooling a necessity to inhibit unwanted traffic. For example, Akamai documents anti-bot tools in the context of legitimate services intended to protect online services and websites from abusive bots. Many companies across industries rely on anti-bot and traffic filtering services provided by CDNs and other types of providers to ensure the integrity of their published content and prevent abusive scraping. It becomes interesting when the use of such tooling comes into play in the context of threat actor infrastructure. The primary use cases for these tools in the malicious context include anti-analysis and anti-research, some of the highest priorities for any adversary’s operational security. This type of anti-analysis provides the basis for a feature known as cloaking, which enables an adversary to evade defensive controls by providing a misleading benign response payload to content scanning services, while at the same time providing the actual malicious payload to normal users. An attacker who can successfully evade automated web content scanners can extend the life of their phishing and malware campaigns, netting additional profits with less effort over time.

Antibot

Antibot is a PHP script, intended to be run on a web server and receiving inbound web traffic, where it can be analyzed and filtered before serving payload content to a client. The analysis performed is intended to detect automated or inauthentic bot traffic; various methods can be used for this, including evaluating HTTP request headers, cookie presence, origin IP space or traffic type, and other approaches. Version 2.6 of the script is the commonly observed version in use. Antibot likely originated during 2019, when we saw that an associated domain name was registered.

An example of an installation of Antibot from 2020 is found in a Joe Sandbox report:

Malware sandbox report showing a status page for Antibot c.2020

Various versions of this script may still be found installed on sites utilizing it today. For example:

  • hXXps://www.wpabaseball[.]com/
  • hXXps://kmbs[.]ir/index.php?option=com_content&view=article&id=165&Itemid=311&lang=fa
  • hXXps://ktrlcvw[.]com/

An extended version of the control panel has also been observed, both exposed publicly and behind authentication:

Antibot v.2.6 dialog [ninoseki 2020]
Antibot v.2.6 dialog [dave_daves 2020]

Antibot v.2.6 panel login dialog [dave_daves 2020]

As previously mentioned, the origins of this tool appear to be a GitHub project that is currently inactive:

https://github.com/radenvodka/antibot

Installations of the control panel for the filtering software have surfaced on numerous sites and in some public reports, such as the following:

The reasons for the open source project going dormant likely become clear when examining the evolution of the standalone script into an online service, modernizing the offering for the underground economy.

ANTIBOT.PW and Killbot Services

Antibot originally saw life as a simple PHP script, designed for a user installation on a web server. Since this time, the GitHub project has been taken offline, and the developer has embarked on a new vision for Antibot – the ANTIBOT.PW and Killbot services are included in a set of abuse-oriented service offerings. Antibot is believed to likely be the predecessor and server-side base code component for ANTIBOT.PW. The operator of the site notes this background in the site footer:

2019-2023 © ANTIBOT.PW In 2019 antibot started with a different name (* .pw) initially we focused on shortlink service providers and within a month, we get positive feedback. in the end we developed several products and tools such as bot detection which is now in high demand, IP Geolocation and other services.

The early phases of ANTIBOT.PW were observed in 2019 as shown in this capture from urlscan.io:

ANTIBOT.PW c.2019 [urlscan.io]

A copy of an associated PHP script was posted to Pastebin during the same year:

https://pastebin.com/7Y22yXW4

The PHP script contains an API service URL and API key for the ANTIBOT.PW service at the time. The script works in a familiar way to many other traffic filtering scripts; the client IP address and several origin IP address headers commonly used with CDNs and reverse proxies are captured by the get_client_ip() function:

Antibot PHP script get_client_ip() function

The client is checked by calling this function, resulting in a call back to the developer site, and the JSON response checks for a field called is_bot. If this field is set, then the client is filtered and is issued an HTTP 404 response:

Antibot PHP script filtering logic

Using an alternate mode, this copy of the script also includes inline filtering content, evaluating the client’s DNS name and remote IP address against a list of blocked domains and IP wildcard expressions:

Antibot PHP script alternate filtering logic using blocklisted hostname and IP address matches

The web portal for the Antibot service lives at ANTIBOT.PW:

ANTIBOT.PW home page c.2023
ANTIBOT.PW service client login page c.2023

The ANTIBOT.PW service offers several features that are notably useful in the context of spamming, phishing URL misdirection, phishing submission verification, client IP address verification and carding:

  • Antibot Shortlink
  • Antibot Blocker
  • Inbox Testing
  • AntiDispos Email
  • PhoneNumber Validate
  • BIN CHECK
  • Lookup IP Address
ANTIBOT.PW services c.2023
ANTIBOT.PW pricing c.2023
ANTIBOT.PW fabricated customer testimonials in Lorem Ipsum form c.2023

By 2020, other phishing services and products had been observed factoring ANTIBOT.PW in as features of their own crimeware, as noted by MalwareHunterTeam:

ANTIBOT.PW support noted as a feature of an advertised Chase phishing kit


Designed as an API service for easy integration, the partnership landscape with ANTIBOT.PW is notable, particularly in the Indonesian spammer and phisher community where many of the threat actors are sure to collaborate and share a common tooling ecosystem. Data on instances of the HijaIyh phishing kit being used to target the Apple brand was shared by a researcher in 2020, noting that Antibot was bundled with the kit and effectively bypassed analysis by an online web crawler. The developer of the HijaIyh kit, another prolific phishing-as-a-service kit from the Indonesian phisher community, listed ANTIBOT.PW as a partner in the project homepage, hijaiyh[.]jp. An analysis of a Chase bank phishing campaign was shared by researchers at Sucuri in 2021, showing a similar bundling of Antibot components in the backend kit.

HijaIyh phishing kit home page listing ANTIBOT.PW as a partner [urlscan.io 2020-06]

Killbot

By 2020, the operator of ANTIBOT.PW started to establish a new service called Killbot. Domain registrations were noted in April (KILLBOT.ORG) and July (KILLBOT.PW). Killbot attempts to take a leg up in terms of legitimate appearance, providing a more professional site designed to attract clients, while at the same time offering a similar set of services to that of ANTIBOT.PW. An unassuming user seeking website security solutions may even believe that the service is a legitimate offering, operated by a reputable company. This would of course not be the case.

Killbot home page

The login page dialog shows the same structural similarity to ANTIBOT.PW:

Killbot service client login page c.2023

Comparing advertised features of ANTIBOT.PW and Killbot services shows similarities, with the later addition of advertising facial detail comparisons. The name Antibot Blocker is updated to Killbot Blocker, Antibot Shortlink to Killbot Shortlink, and a number of other services also remain:

  • Killbot Blocker
  • Killbot Shortlink
  • OWASP Top 10 Protection
  • Lookup IP address
  • Disposable Email Identify
  • Phone Number Identify
  • Face Comparing
  • Face Detection
  • Face Searching
  • Face Detail
  • Custom AI Solution (B2B/B2G)
ANTIBOT.PW services c.2023
Killbot features c.2023

InQuest® also notes direct relations in how the older ANTIBOT.PW and newer Killbot services operate. ANTIBOT.PW exposes a file repository for clients at files.antibot[.]pw:

ANTIBOT.PW file repository c.2023

A similar file repository is hosted for Killbot at files.killbot[.]org:

Killbot file repository c.2023

The two services serve their PHP scripts in similar ways, renaming them for download as .TXT files. Comparing the scripts shows near identical similarities:

3717b7c862057a5deb406cf747c4669e3f41d217ae66a22a80b0bfe225a731a5  antibot-blockers.txt

2982112157807645a1c964e70a44d2a23021d4a62537ad2266445125c8783e5e  Killbot-Blocker.txt

Comparison of antibot-blockers.txt and Killbot-Blocker.txt

Installations of Killbot-integrated sites may be observed in captured phishing pages and other scam and fraudulent websites, like those that can be found in urlscan.io:

An example of client-side content used to integrate the Killbot service into a DHL phishing page is shown below. Filtered clients are redirected to the DHL home page:

Chase phishing page using the Killbot service for traffic filtering

A similar setup is found in urlscan.io, showing activation using a published Killbot JavaScript including with a redirection for filtered clients to Yandex in this case.

Chase phishing page using Killbot service for traffic filtering [urlscan.io 2023]

Suspected developer/operator

In 2018, Deep End Research published an analysis of spam and phishing campaign activity centered around a community of operators based in Indonesia. The phishers notably targeted Apple, PayPal and other top brands, and utilized a number of utilities in their toolbox, including SendInbox, heart sender, GX40 sender, IndoXploit, and others. The community was found to be using tools believed to have been developed by Eka Syahwan. As noted in a 2020 post to Twitter, researchers identified a link between Syahwan and this Indonesian spam and phishing ecosystem. Also in 2020, a researcher posted a list of phishing kit URLs and their associated dropzone information to their blog. One of those kits was packaged in an archive named sendinbox-master.zip:

hXXp://lordnoob.hopto[.]org/gx40/sendinbox-master.zip

The exfiltration email recipient configured in this kit was ekasyahwan[@]hotmail.com, which is also the registrant email for the domain ANTIBOT.PW. As noted by Deep End Research, Syahwan is the developer of SendInbox. Syahwan is also the developer of Antibot, with the software project having been hosted on Syahwan’s @radenvodka GitHub account prior to being taken offline.

  • Eka Syahwan, Indonesia
  • ʀᴀᴅᴇɴᴠᴏᴅᴋᴀ (ᴇᴋᴀ ꜱ)
  • @radenvodka (GitHub) – https://github.com/radenvodka
  • https://id.linkedin.com/in/ekasyahwan
    • Eka Syahwan – Chief Executive Officer (CEO) – CilegonTech
  • Previously operated blog at http://www.ekasyahwan.com/
  • Previously operated blog at http://blog.antibot.pw/
  • Maintains business site for Cilegon Tech – Konsultan IT ((c) 2016) at https://cilegon-tech.blogspot.com/
    • Chief Executive Officer: Eka Syahwan
    • Also: cilegontech[.]com
  • Maintains personal blog for RadenVodka at https://radenvodka-id.blogspot.com/
    • Last post c.2018
ekasyahwan.com blog home page c.2020 (archive)
Cilegon Tech home page c.2023
Cilegon Tech home page team c.2023

Conclusion

Antibot has been a mainstay in various spammer and phishing circles as a bot traffic filtering script. A software project, originally hosted on GitHub, distributed the source code for Antibot and can be seen in active phishing page source content. The author and distributor of Antibot is suspected to be based in Indonesia in connection to local spam communities as an underground software/service provider specializing in phishing and bank fraud. Presently, ANTIBOT.PW is established as a platform with a web API and is offered as a commercial product and as a more refined service option under the name Killbot. What differentiates Antibot from other tools in the adversary toolbelt is the open-web-facing nature for which the service is presented. Contrast this to other tools and services generally sold and advertised via underground hacking forums. The operator of ANTIBOT.PW and Killbot wants to appear to be legitimate, despite a history of close involvement with unscrupulous communities and the development of software furthering criminal phishing and fraud activity within those communities. This is noted moreso when considering integrations and partnerships with other prominent phishing kits and services such as HijaIyh.

InQuest advises those looking to combat phishing and other fraudulent activity to remain aware of the presence of Antibot and Killbot in this ecosystem, and to consider websites integrating with their services to be likely related to criminal activity.

References

Appendix

Infrastructure

Domains:

  • ANTIBOT.PW
  • ANTIBOT.TECH
  • ANTIBOT.XYZ
  • KILLBOT.ORG
  • KILLBOT.PW

Domain registrations:

  • ANTIBOT.PW  2019-09-13  WEBCC  domainesia.net  Eka Syahwan  ekasyahwan@hotmail.com
  • ANTIBOT.TECH  2019-12-23  Web Commerce Communications Ltd  domainesia.net  Privacy
  • ANTIBOT.XYZ  2020-01-21  Web Commerce Communications Ltd  domainesia.net  Privacy
  • KILLBOT.ORG  2020-04-17  CloudFlare, Inc.  cloudflare.com  Privacy
  • KILLBOT.PW  2020-07-21  WEBCC  cloudflare.com  Privacy

Domain SOA records:

  • antibot.pw. 1800 IN SOA ns1.domainesia.net. admin.domainesia.com. 2021072400 3600 1800 1209600 86400
  • killbot.org. 1800 IN SOA kareem.ns.cloudflare.com. dns.cloudflare.com. 2310810561 10000 2400 604800 1800
  • killbot.pw. 1800 IN SOA kareem.ns.cloudflare.com. dns.cloudflare.com. 2314410706 10000 2400 604800 1800

Hosting:

Hosting for services has been on VPS from Vultr (CHOOPA).

  • 45.63.85.138      AS20473 | US | AS-CHOOPA
  • 45.76.179.109     AS20473 | US | AS-CHOOPA
  • 149.28.240.102    AS20473 | US | AS-CHOOPA

CDN service usage:

  • The Killbot service (domains killbot[.]org, killbot[.]pw) are fronted by Cloudflare.

Hosts:

antibot.pw.      2855     IN    A     149.28.240.102

killbot.org.      300     IN    A     104.21.11.160

killbot.org.      300     IN    A     172.67.166.105

killbot.pw.       300     IN    A     104.21.35.84

killbot.pw.       300     IN    A     172.67.216.54

antibot.pw.      1800     IN    NS    ns2.domainesia.net.

antibot.pw.      1800     IN    NS    ns1.domainesia.net.

killbot.org.    21600     IN    NS    kareem.ns.cloudflare.com.

killbot.org.    21600     IN    NS    kimora.ns.cloudflare.com.

killbot.pw.     21600     IN    NS    kareem.ns.cloudflare.com.

killbot.pw.     21600     IN    NS    kimora.ns.cloudflare.com.

Historical resolutions:

killbot.org   45.63.85.138          ip    A  2021-08-07T20:40:53  2022-06-29T13:09:44

45.63.85.138   files.killbot.org domain  A  2021-08-07T07:41:26  2022-06-10T17:25:44

45.63.85.138   go.killbot.org   domain  A  2021-08-07T07:41:27  2021-08-07T07:41:27

45.63.85.138   killbot.org      domain  A  2021-08-07T20:40:53  2022-06-29T13:09:44

45.63.85.138   killbot.pw       domain  A  2021-08-07T21:05:25  2022-06-28T13:32:45

45.76.179.109  antibot.pw       domain  A  2019-10-10T05:09:28  2020-04-16T02:11:26

45.76.179.109  files.antibot.pw domain  A  2019-10-10T06:20:25  2020-04-16T04:22:09

45.76.179.109  xn--yp9h.antibot.pw  domain  A  2019-12-15T01:18:27  2019-12-15T01:18:27

45.76.179.109  www.antibot.tech domain  A  2019-12-24T08:11:16  2020-05-12T20:47:26

45.76.179.109  antibot.xyz      domain  A  2020-01-21T10:48:30  2020-04-13T17:08:18

45.76.179.109  www.antibot.pw   domain  A  2020-04-14T16:04:11  2020-04-14T16:04:11

149.28.240.102  antibot.xyz     domain  A  2020-04-16T05:12:29  2021-01-19T08:19:47

149.28.240.102  antibot.pw      domain  A  2020-04-16T05:26:25  2023-07-14T11:26:51

149.28.240.102  files.antibot.pw domain  A  2020-04-16T05:41:29  2023-07-09T21:40:19

149.28.240.102  rox.antibot.pw  domain  A  2021-07-24T14:16:26  2023-07-02T00:58:02

45.63.85.138      AS20473 | US | AS-CHOOPA

45.76.179.109     AS20473 | US | AS-CHOOPA

149.28.240.102    AS20473 | US | AS-CHOOPA

104.21.11.160     AS13335 | US | CLOUDFLARENET

172.67.166.105    AS13335 | US | CLOUDFLARENET

104.21.35.84      AS13335 | US | CLOUDFLARENET

172.67.216.54     AS13335 | US | CLOUDFLARENET

Files

PHP scripts:

3717b7c862057a5deb406cf747c4669e3f41d217ae66a22a80b0bfe225a731a5  antibot-blockers.txt

2982112157807645a1c964e70a44d2a23021d4a62537ad2266445125c8783e5e  Killbot-Blocker.txt