Home / Industry

A DNS Deep Dive into New Crypto Threat “Hidden Risk”

As of 2024, more than 560 million people own cryptocurrencies worldwide, which could translate to more than half a million potential cyber attack victims. This widespread adoption may explain the emergence of threats like Hidden Risk, a malicious campaign that uses fake crypto news to distribute the RustBucket malware.

SentinelLabs published an in-depth investigation of the Hidden Risk campaign and identified 86 indicators of compromise (IoCs) related to the payload—RustBucket.

The attack began with phishing attempts targeting crypto-related businesses. Victims were tricked into downloading a dropper with RustBucket as a payload. The SentinelLabs researchers believed the campaign began as early as July 2024 and used fake news about cryptocurrency-related topics.

The WhoisXML API research team handpicked 81 of the IoCs, specifically 44 domains, 27 subdomains, and 10 IP addresses, for an expansion analysis. Our DNS deep dive led to the discovery of:

  • 40 email-connected domains
  • 14 additional IP addresses, 13 of which turned out to be malicious
  • Six IP-connected domains
  • 1,685 string-connected domains, three of which turned out to be malicious
  • Five string-connected subdomains

A sample of the additional artifacts obtained from our analysis is available for download from our website.

About the Hidden Risk IoCs

We began our analysis with a bulk WHOIS lookup for the 44 domains tagged as IoCs, which found that:

  • Only 43 of them had current WHOIS records.
  • The 43 domain IoCs with current WHOIS data were administered by nine registrars led by Namecheap, which accounted for 21 domains. The rest of the registrars were NameSilo with six domains; Hosting Concepts with five; GoDaddy and Squarespace Domains with three each; Registrar.eu with two; and Cloudflare, CSL Computer Service, and INWX with one each.
  • The 43 domain IoCs with current WHOIS data were created between 2011 and 2024, with most (74%) being newly created.

  • The domain IoCs with current WHOIS data were registered in six different countries led by Iceland, which accounted for 20 domains. The remaining registrant countries were the U.S. with 12 domains; the Netherlands with seven; and Eritrea, Germany, and Turkey with one each. One domain IoC did not have current registrant country data.

A query on DNS Chronicle API for the 44 domains tagged as IoCs showed that 34 had resolved to at least one IP address in the past. Overall, they resolved to 537 IP addresses between 2019 and 2024. Here are five examples with historical DNS data.

DOMAIN IoCSTART DATEEND DATENUMBER OF IP ADDRESSES
ankanimatoka[.]com22 March 202428 August 202414
buy2x[.]com23 April 20209 July 202427
caladan[.]video30 October 202430 October 20241
delphidigital[.]org3 April 202420 October 20249
evalaskatours[.]com23 October 201915 November 20243

A bulk IP geolocation lookup for the 10 IP addresses tagged as IoCs yielded these results:

  • They were geolocated in two countries—nine in the U.S. and one in Singapore.
  • While seven IP addresses did not have ISP data, one IP address each was administered by Hostwinds, Latitude.sh, and OVHcloud.

A query on DNS Chronicle API for the 10 IP addresses tagged as IoCs revealed that all resolved at least two domains in the past. Overall, they resolved 1,717 domains between 2019 and 2024. Take a look at three examples below.

IP ADDRESS IoCSTART DATEEND DATENUMBER OF DOMAINS
139[.]99[.]66[.]10326 September 202030 August 20231,000
216[.]107[.]136[.]1027 March 202421 October 202410
45[.]61[.]128[.]1224 September 202320 October 202419

Hidden Risk IoC List Expansion Analysis Findings

We began our search for connected threat artifacts with a WHOIS History API query for the 44 domains tagged as IoCs. The results showed that they had 30 email addresses in their historical WHOIS records. Seven of the email addresses were public.

A Reverse WHOIS API query for the seven public email addresses yielded results for four although one may belong to a domainer, given the large number of connected domains. Excluding results for that potential domainer, we obtained 40 email-connected domains after filtering out duplicates and the IoCs.

Next, a DNS Lookup API query for the 44 domains tagged as IoCs provided us with 14 additional IP addresses after removing duplicates and the IoCs.

A Threat Intelligence API query for the 14 additional IP addresses revealed that 13 have already figured in malicious campaigns.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Threat Intelligence

Sponsored byWhoisXML API

Cybersecurity

Sponsored byVerisign

DNS

Sponsored byDNIB.com

IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix