Keypoints :
- Over 560 million people own cryptocurrencies, making them potential targets for cyber attacks.
- The Hidden Risk campaign utilizes fake news to spread RustBucket malware.
- Phishing attempts are aimed at crypto-related businesses to deliver the malware.
- SentinelLabs identified 86 IoCs associated with the RustBucket payload.
- WHOIS analysis revealed 43 of the 44 domain IoCs had current records.
- Domains were registered in multiple countries, with Iceland leading.
- DNS queries showed extensive historical data for the IoCs.
- Additional threat artifacts were identified through WHOIS and DNS queries.
MITRE Techniques :
- Phishing (T1566) – Attackers sent phishing emails targeting crypto businesses to deliver the RustBucket malware.
- Malware (T1203) – RustBucket was delivered as a payload via a dropper downloaded by victims.
- Domain Generation Algorithms (T1483) – The campaign utilized multiple domains to obscure its activities and evade detection.
Indicator of Compromise :
- [domain] ankanimatoka[.]com
- [domain] buy2x[.]com
- [domain] caladan[.]video
- [domain] delphidigital[.]org
- [domain] evalaskatours[.]com
- Check the article for all found IoCs.
As of 2024, more than 560 million people own cryptocurrencies worldwide, which could translate to more than half a million potential cyber attack victims. This widespread adoption may explain the emergence of threats like Hidden Risk, a malicious campaign that uses fake crypto news to distribute the RustBucket malware.
SentinelLabs published an in-depth investigation of the Hidden Risk campaign and identified 86 indicators of compromise (IoCs) related to the payload—RustBucket.
The attack began with phishing attempts targeting crypto-related businesses. Victims were tricked into downloading a dropper with RustBucket as a payload. The SentinelLabs researchers believed the campaign began as early as July 2024 and used fake news about cryptocurrency-related topics.
The WhoisXML API research team handpicked 81 of the IoCs, specifically 44 domains, 27 subdomains, and 10 IP addresses, for an expansion analysis. Our DNS deep dive led to the discovery of:
- 40 email-connected domains
- 14 additional IP addresses, 13 of which turned out to be malicious
- Six IP-connected domains
- 1,685 string-connected domains, three of which turned out to be malicious
- Five string-connected subdomains
A sample of the additional artifacts obtained from our analysis is available for download from our website.
About the Hidden Risk IoCs
We began our analysis with a bulk WHOIS lookup for the 44 domains tagged as IoCs, which found that:
- Only 43 of them had current WHOIS records.
- The 43 domain IoCs with current WHOIS data were administered by nine registrars led by Namecheap, which accounted for 21 domains. The rest of the registrars were NameSilo with six domains; Hosting Concepts with five; GoDaddy and Squarespace Domains with three each; Registrar.eu with two; and Cloudflare, CSL Computer Service, and INWX with one each.
-
The 43 domain IoCs with current WHOIS data were created between 2011 and 2024, with most (74%) being newly created.
-
The domain IoCs with current WHOIS data were registered in six different countries led by Iceland, which accounted for 20 domains. The remaining registrant countries were the U.S. with 12 domains; the Netherlands with seven; and Eritrea, Germany, and Turkey with one each. One domain IoC did not have current registrant country data.
A query on DNS Chronicle API for the 44 domains tagged as IoCs showed that 34 had resolved to at least one IP address in the past. Overall, they resolved to 537 IP addresses between 2019 and 2024. Here are five examples with historical DNS data.
| DOMAIN IoC | START DATE | END DATE | NUMBER OF IP ADDRESSES |
|---|---|---|---|
| ankanimatoka[.]com | 22 March 2024 | 28 August 2024 | 14 |
| buy2x[.]com | 23 April 2020 | 9 July 2024 | 27 |
| caladan[.]video | 30 October 2024 | 30 October 2024 | 1 |
| delphidigital[.]org | 3 April 2024 | 20 October 2024 | 9 |
| evalaskatours[.]com | 23 October 2019 | 15 November 2024 | 3 |
A bulk IP geolocation lookup for the 10 IP addresses tagged as IoCs yielded these results:
- They were geolocated in two countries—nine in the U.S. and one in Singapore.
- While seven IP addresses did not have ISP data, one IP address each was administered by Hostwinds, Latitude.sh, and OVHcloud.
A query on DNS Chronicle API for the 10 IP addresses tagged as IoCs revealed that all resolved at least two domains in the past. Overall, they resolved 1,717 domains between 2019 and 2024. Take a look at three examples below.
| IP ADDRESS IoC | START DATE | END DATE | NUMBER OF DOMAINS |
|---|---|---|---|
| 139[.]99[.]66[.]103 | 26 September 2020 | 30 August 2023 | 1,000 |
| 216[.]107[.]136[.]10 | 27 March 2024 | 21 October 2024 | 10 |
| 45[.]61[.]128[.]122 | 4 September 2023 | 20 October 2024 | 19 |
Hidden Risk IoC List Expansion Analysis Findings
We began our search for connected threat artifacts with a WHOIS History API query for the 44 domains tagged as IoCs. The results showed that they had 30 email addresses in their historical WHOIS records. Seven of the email addresses were public.
A Reverse WHOIS API query for the seven public email addresses yielded results for four although one may belong to a domainer, given the large number of connected domains. Excluding results for that potential domainer, we obtained 40 email-connected domains after filtering out duplicates and the IoCs.
Next, a DNS Lookup API query for the 44 domains tagged as IoCs provided us with 14 additional IP addresses after removing duplicates and the IoCs.
A Threat Intelligence API query for the 14 additional IP addresses revealed that 13 have already figured in malicious campaigns.
This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.
Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.
Get NordVPN
[74% +3 extra months, from $2.99/month]
<!–
- Meshnet Feature for Personal Encrypted Networks: NordVPN offers a unique feature called Meshnet, which allows users to connect their devices directly and securely over the internet. This means you can create your own private, encrypted network for activities like gaming, file sharing, or remote access to your home devices from anywhere in the world.
- RAM-Only Servers for Enhanced Security: Unlike many VPN providers, NordVPN uses RAM-only (diskless) servers. Since these servers run entirely on volatile memory, all data is wiped with every reboot. This ensures that no user data is stored long-term, significantly reducing the risk of data breaches and enhancing overall security.
- Servers in a Former Military Bunker: Some of NordVPN’s servers are housed in a former military bunker located deep underground. This unique location provides an extra layer of physical security against natural disasters and unauthorized access, ensuring that the servers are protected in all circumstances.
- NordLynx Protocol with Double NAT Technology: NordVPN developed its own VPN protocol called NordLynx, built around the ultra-fast WireGuard protocol. What sets NordLynx apart is its implementation of a double Network Address Translation (NAT) system, which enhances user privacy without sacrificing speed. This innovative approach solves the potential privacy issues inherent in the standard WireGuard protocol.
- Dark Web Monitor Feature: NordVPN includes a feature known as Dark Web Monitor. This tool actively scans dark web sites and forums for credentials associated with your email address. If it detects that your information has been compromised or appears in any data breaches, it promptly alerts you so you can take necessary actions to protect your accounts.
–>
Full Research: https://circleid.com/posts/a-dns-deep-dive-into-new-crypto-threat-hidden-risk