Threat researcher Dancho Danchev identified 130 domains tied to fake cryptocurrency sellers, with WhoisXML API expanding IoCs through DNS intelligence to surface a wide range of artifacts. The findings detail hundreds of domains, IPs, and string patterns, plus registrar and geographic distribution, underscoring growing threats targeting crypto services. #brainiacnet #escrowtrades
Keypoints
- 130 domain names were tagged as IoCs, with 522 email-connected domains (21 malicious) and 41 IP addresses (39 linked to threats).
- 259 IP-connected domains and 1,947 string-connected domains were found, with 15 of the string-connected ones already malicious.
- The IoCs were explored via bulk WHOIS lookups, reverse WHOIS, and Threat Intelligence API to expand connections and context.
- Registrars hosting the IoCs spanned 22 providers, led by GoDaddy.com LLC (9 domains) and TurnCommerce, Inc. (8 domains), with Namecheap, Inc. (5) following.
- Oldest IoC domain from 2014; newest from 2024; 84 IoCs lacked registrar data and 83 lacked creation dates.
- Geographically, IoCs appeared in 11 countries, led by the U.S. (28 domains); several others had small representations and many lacked country data.
MITRE Techniques
- [T1583] Acquire Infrastructure β Domain infrastructure identified via bulk WHOIS and DNS analysis. Quote: βThe domain IoCs were distributed among 22 registrars led by GoDaddy.com LLC, which accounted for nine domains.β
- [T1566.001] Phishing β Malicious email-connected domains used to host phishing campaigns. Quote: βMALICIOUS EMAIL-CONNECTED DOMAIN brainiac[.]netβ β¦ βassociated with 1β2 threats according to Threat Intelligence API.β
- [T1071.001] Web Protocols (C2) β IPs show command-and-control activity associated with threats. Quote: β103[.]224[.]182[.]253β β¦ βCommand and control (C&C)β.
Indicators of Compromise
- [Domain] IoCs β 130 domain names tagged as IoCs; examples: brainiac[.]net, couponmafia[.]com, escrow-peer[.]com, escrow-trades[.]com (context: IoCs discovered across many domains).
- [IP Address] IoCs β 41 IP addresses; examples: 104[.]247[.]81[.]54, 81[.]19[.]154[.]98 (context: IPs resolved from IoCs and linked to threats).
- [Registrar] IoCs β Registrars hosting IoCs; examples: GoDaddy.com LLC, TurnCommerce, Inc. (context: distribution of IoCs across registrars).
- [String] IoCs β 1,947 string-connected domains; examples: bijora-btc., bitcoingate. (context: same-text strings used across domains.)
Read more: https://circleid.com/posts/20240626-tracking-down-fake-cryptocurrency-sellers-using-dns-intelligence