|
As of 2024, more than 560 million people own cryptocurrencies worldwide, which could translate to more than half a million potential cyber attack victims. This widespread adoption may explain the emergence of threats like Hidden Risk, a malicious campaign that uses fake crypto news to distribute the RustBucket malware.
SentinelLabs published an in-depth investigation of the Hidden Risk campaign and identified 86 indicators of compromise (IoCs) related to the payload—RustBucket.
The attack began with phishing attempts targeting crypto-related businesses. Victims were tricked into downloading a dropper with RustBucket as a payload. The SentinelLabs researchers believed the campaign began as early as July 2024 and used fake news about cryptocurrency-related topics.
The WhoisXML API research team handpicked 81 of the IoCs, specifically 44 domains, 27 subdomains, and 10 IP addresses, for an expansion analysis. Our DNS deep dive led to the discovery of:
A sample of the additional artifacts obtained from our analysis is available for download from our website.
We began our analysis with a bulk WHOIS lookup for the 44 domains tagged as IoCs, which found that:
The 43 domain IoCs with current WHOIS data were created between 2011 and 2024, with most (74%) being newly created.
The domain IoCs with current WHOIS data were registered in six different countries led by Iceland, which accounted for 20 domains. The remaining registrant countries were the U.S. with 12 domains; the Netherlands with seven; and Eritrea, Germany, and Turkey with one each. One domain IoC did not have current registrant country data.
A query on DNS Chronicle API for the 44 domains tagged as IoCs showed that 34 had resolved to at least one IP address in the past. Overall, they resolved to 537 IP addresses between 2019 and 2024. Here are five examples with historical DNS data.
DOMAIN IoC | START DATE | END DATE | NUMBER OF IP ADDRESSES |
---|---|---|---|
ankanimatoka[.]com | 22 March 2024 | 28 August 2024 | 14 |
buy2x[.]com | 23 April 2020 | 9 July 2024 | 27 |
caladan[.]video | 30 October 2024 | 30 October 2024 | 1 |
delphidigital[.]org | 3 April 2024 | 20 October 2024 | 9 |
evalaskatours[.]com | 23 October 2019 | 15 November 2024 | 3 |
A bulk IP geolocation lookup for the 10 IP addresses tagged as IoCs yielded these results:
A query on DNS Chronicle API for the 10 IP addresses tagged as IoCs revealed that all resolved at least two domains in the past. Overall, they resolved 1,717 domains between 2019 and 2024. Take a look at three examples below.
IP ADDRESS IoC | START DATE | END DATE | NUMBER OF DOMAINS |
---|---|---|---|
139[.]99[.]66[.]103 | 26 September 2020 | 30 August 2023 | 1,000 |
216[.]107[.]136[.]10 | 27 March 2024 | 21 October 2024 | 10 |
45[.]61[.]128[.]122 | 4 September 2023 | 20 October 2024 | 19 |
We began our search for connected threat artifacts with a WHOIS History API query for the 44 domains tagged as IoCs. The results showed that they had 30 email addresses in their historical WHOIS records. Seven of the email addresses were public.
A Reverse WHOIS API query for the seven public email addresses yielded results for four although one may belong to a domainer, given the large number of connected domains. Excluding results for that potential domainer, we obtained 40 email-connected domains after filtering out duplicates and the IoCs.
Next, a DNS Lookup API query for the 44 domains tagged as IoCs provided us with 14 additional IP addresses after removing duplicates and the IoCs.
A Threat Intelligence API query for the 14 additional IP addresses revealed that 13 have already figured in malicious campaigns.
This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.
Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.
Sponsored byWhoisXML API
Sponsored byVerisign
Sponsored byDNIB.com
Sponsored byIPv4.Global
Sponsored byCSC
Sponsored byVerisign
Sponsored byRadix