Tuesday, June 25, 2024

CryptoChameleon Kit With Group of Tools Propagate Phishing Quickly into Infrastructure

CryptoChameleon, a phishing tool detected in February 2024, was developed by someone anonymous and is used by threat actors to collect personal data such as usernames and passwords of mobile phone users.

A thorough investigation has exposed many CryptoChameleon fast-flux indicators designed to attack leading cryptocurrency platforms like Binance and Coinbase, among others. These indicators could be indicative of future attacks targeting their clients.

Cybersecurity researchers at SilentPush recently identified CryptoChameleon Kit with tools that propagate phishing quickly into infrastructure.

Technical analysis

In February 2024, Silent Push discovered malicious CryptoChameleon phishing kit activity targeting the FCC, Binance, Coinbase, and others through email, SMS, and voice attacks. 

The kit leverages fast-flux DNS evasion techniques, using DNSPod nameservers to cycle through IPs rapidly, bypassing traditional IOC-based defenses. 

CryptoChameleon impersonates various brands across sectors to harvest credentials and data. 

Analysis reveals command and control infrastructure details and targeted organizations embedded within the phishing pages. 

All-in-One Cybersecurity Platform for MSPs to provide full breach protection with a single tool, Watch a Full Demo 

Here below we have mentioned the CryptoChameleon targets:-

  • Yahoo
  • Outlook
  • Gemini
  • Kraken
  • Apple / iCloud
  • Twitter
  • Binance
  • Uphold
  • LastPass
  • Google/Gmail
  • AOL

Here below we have mentioned the phishing pages:-

Swan phishing page (Source - SilentPush)
Swan phishing page (Source – SilentPush)

Kraken phishing page (Source - SilentPush)
Kraken phishing page (Source – SilentPush)
Ledger phishing page (Source - SilentPush)
Ledger phishing page (Source – SilentPush)
Apple phishing page (Source - SilentPush)
Apple phishing page (Source – SilentPush)
Gamdom phishing page (Source - SilentPush)
Gamdom phishing page (Source – SilentPush)

The Silent Push malware, notorious for using DNSPod.com to carry its malicious architecture, conducted IP diversity queries with set parameters to navigate CryptoChameleon’s fast-flux DNS architecture. 

For this analysis, instead of using traditional IOCs, it employed a first-party database tracking the underlying attack infrastructure. T

his enabled researchers to map out hosting providers, ASNs, and global infrastructure that are actively being used by CryptoChameleon phishing campaigns.

Here below, we have mentioned all the associated domains:-

  • 76153-coinbse[.]com
  • 81758-coinbse[.]com
  • 81920-coinbse[.]com
  • 81926-coinbse[.]com
  • 81958-coinbse[.]com
  • 826298-coinbse[.]com
  • 83216-coinbse[.]com
  • 837613-coinbse[.]com
  • 83956-coinbse[.]com

Besides this, researchers affirmed that community and enterprise users can leverage Silent Push’s IP diversity queries and web scanning capabilities. 

This will allow them to connect disparate data points and gain comprehensive visibility into CryptoChameleon’s tactics, techniques, and procedures.

Get special offers from ANY.RUN Sandbox. Until May 31, get 6 months of free service or extra licenses. Sign up for free.


Latest articles

Hackers Exploit Multiple WordPress Plugins to Hack Websites & Create Rogue Admin Accounts

Wordfence Threat Intelligence team identified a significant security breach involving multiple WordPress plugins. The initial...

Hackers Attacking Windows IIS Server to Upload Web Shells

Windows IIS Servers often host critical web applications and services that provide a gateway...

WikiLeaks Founder Julian Assange Released in Stunning Deal with U.S.

WikiLeaks founder Julian Assange has been released from prison after reaching a deal with...

Four Members of FIN9 Hackers Charged for Attacking U.S. Companies

Four Vietnamese nationals have been charged for their involvement in a series of computer...

BREAKING: NHS England’s Synnovis Hit by Massive Cyber Attack

In a shocking development, the NHS has revealed that it was the victim of...

Threat Actor Claiming a 0-day in Linux LPE Via GRUB bootloader

A new threat actor has emerged, claiming a zero-day vulnerability in the Linux GRUB...

LockBit Ransomware Group Claims Hack of US Federal Reserve

The notorious LockBit ransomware group has claimed responsibility for hacking the U.S. Federal Reserve,...
Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles