Keypoints
- Expanded analysis of eight reported pig-butchering IoCs yielded 141 connected artifacts across domains, emails, and IPs.
- WHOIS History and Reverse WHOIS queries produced 27 email-connected domains tied to a public WHOIS email; one email-connected domain (designalps[.]com) was linked to phishing.
- DNS lookups showed two of the IoC domains resolved to unique IPs: 172[.]234[.]25[.]151 and 45[.]39[.]148[.]106 (U.S.-hosted via Akamai and EGIHosting).
- Domains & Subdomains Discovery using strings (crmforexs, cronosca, trading-ic) found 112 string-connected domains and a broader search located 11,409 domains containing finance/crypto-related strings.
- Threat Intelligence and Screenshot APIs confirmed many string-connected domains were live; 13 additional string-connected domains were associated with phishing/generic threats (examples include coinbase-coin[.]shop and coinxiazai[.]com).
- Registrars for the original eight IoCs included Namecheap, Cloudflare, Gname.com, and NameSilo; most IoCs were registered in 2022–2023 across Iceland, China, and the U.S.
MITRE Techniques
- [T1583.001] Acquire Infrastructure: Domains – Registrations of numerous finance/crypto-themed domains to impersonate legitimate services (‘they scoured the DNS for other domains containing the three strings… found 11,409 domains’).
- [T1583.002] Acquire Infrastructure: IPs – IoC domains resolved to infrastructure-hosted IPs (two unique addresses) used to host scam pages (‘172[.]234[.]25[.]151 and 45[.]39[.]148[.]106’).
- [T1566] Phishing – Use of phishing pages to harvest victims or deliver scams; one domain from the expansion was identified in phishing campaigns (‘designalps[.]com figured in a phishing campaign’).
- [T1595] Active Scanning / Discovery (Reconnaissance) – Use of WHOIS History, Reverse WHOIS, Threat Intelligence, and Screenshot APIs to enumerate related domains and artifacts (‘Reverse WHOIS API query for the public email address led to the discovery of 27 email-connected domains’).
Indicators of Compromise
- [Domain] seed IoCs and examples – crmforexs[.]com, trading-ic[.]com, filecoinprotocol[.]com (initial domains tied to pig-butchering investigations).
- [Domain] email-connected domains discovered via WHOIS – attractmilliondollars[.]com, automoneymakers[.]com, and 25 more email-linked domains (total 27).
- [Domain] malicious additional string-connected domains associated with phishing – coinbase-coin[.]shop, coinxiazai[.]com, coinwavepros[.]site, hychain[.]trading, walletlink-coinbase[.]com (and 8 more phishing-associated domains).
- [IP address] resolved hosting for IoCs – 172[.]234[.]25[.]151 (Akamai Technologies, U.S.), 45[.]39[.]148[.]106 (EGIHosting, U.S.).
- [String-connected domains] broader string search results – 112 string-connected domains for the IoC strings (crmforexs, cronosca, trading-ic) and 11,409 total domains matching finance/crypto strings found in the DNS.
We used a stepwise DNS- and WHOIS-focused procedure: perform bulk WHOIS and WHOIS History queries on the initial IoCs to extract registrant data and historical WHOIS emails; run Reverse WHOIS on public email addresses to enumerate email-connected domains; query Threat Intelligence APIs to flag known phishing or malicious associations; take screenshots of live pages to validate content; perform DNS resolutions and IP geolocation on IoCs; use Reverse IP lookups to assess shared hosting; and run Domains & Subdomains Discovery using targeted text strings (e.g., crmforexs, cronosca, trading-ic) to find related domains and broader weaponizable name patterns.
Applying this workflow to the eight reported pig-butchering domains produced concrete results: eight WHOIS-history-derived emails (one public) led to 27 email-connected domains (21 still resolving, 12 trading-related), DNS resolved two IoCs to distinct U.S. IPs (172[.]234[.]25[.]151, 45[.]39[.]148[.]106), and string-based discovery returned 112 immediate string-connected domains plus 11,409 broader matches—13 of which were flagged by threat intelligence for phishing or generic threats. Screenshot and threat-intel verification were used throughout to prioritize live and malicious pages for further analysis.
These techniques allow scaling from a small set of reported IoCs to a wider set of likely related infrastructure by combining WHOIS/Reverse-WHOIS enumeration, DNS resolution/backwards lookups, targeted string discovery, and threat-intel/screenshot validation to identify active pages, phishing links, hosting providers, and registrant patterns useful for triage and takedown efforts.
Read more: https://circleid.com/posts/20240228-dns-deep-diving-into-pig-butchering-scams