CryptoChameleon Kit With Group of Tools Propagate Phishing Quickly into Infrastructure

CryptoChameleon, a phishing tool detected in February 2024, was developed by someone anonymous and is used by threat actors to collect personal data such as usernames and passwords of mobile phone users.

A thorough investigation has exposed many CryptoChameleon fast-flux indicators designed to attack leading cryptocurrency platforms like Binance and Coinbase, among others. These indicators could be indicative of future attacks targeting their clients.

Cybersecurity researchers at SilentPush recently identified CryptoChameleon Kit with tools that propagate phishing quickly into infrastructure.

Technical analysis

In February 2024, Silent Push discovered malicious CryptoChameleon phishing kit activity targeting the FCC, Binance, Coinbase, and others through email, SMS, and voice attacks. 

The kit leverages fast-flux DNS evasion techniques, using DNSPod nameservers to cycle through IPs rapidly, bypassing traditional IOC-based defenses. 

CryptoChameleon impersonates various brands across sectors to harvest credentials and data. 

Analysis reveals command and control infrastructure details and targeted organizations embedded within the phishing pages. 

All-in-One Cybersecurity Platform for MSPs to provide full breach protection with a single tool, Watch a Full Demo 

Here below we have mentioned the CryptoChameleon targets:-

• Yahoo
• Outlook
• Gemini
• Kraken
• Apple / iCloud
• Twitter
• Binance
• Uphold
• LastPass
• Google/Gmail
• AOL

Here below we have mentioned the phishing pages:-

The Silent Push malware, notorious for using DNSPod.com to carry its malicious architecture, conducted IP diversity queries with set parameters to navigate CryptoChameleon’s fast-flux DNS architecture. 

For this analysis, instead of using traditional IOCs, it employed a first-party database tracking the underlying attack infrastructure. T

his enabled researchers to map out hosting providers, ASNs, and global infrastructure that are actively being used by CryptoChameleon phishing campaigns.

Here below, we have mentioned all the associated domains:-

• 76153-coinbse[.]com
• 81758-coinbse[.]com
• 81920-coinbse[.]com
• 81926-coinbse[.]com
• 81958-coinbse[.]com
• 826298-coinbse[.]com
• 83216-coinbse[.]com
• 837613-coinbse[.]com
• 83956-coinbse[.]com

Besides this, researchers affirmed that community and enterprise users can leverage Silent Push’s IP diversity queries and web scanning capabilities. 

This will allow them to connect disparate data points and gain comprehensive visibility into CryptoChameleon’s tactics, techniques, and procedures.

Get special offers from ANY.RUN Sandbox. Until May 31, get 6 months of free service or extra licenses. Sign up for free.