Infoblox Researchers Uncover Malicious Domains Hosting Cryptocurrency Scams

Infoblox security researchers have uncovered a group of malicious domains that are being used to host cryptocurrency scams, some of which have been associated with the hacking of Youtube channels.

We were able to find the domains by reviewing and analyzing queries in our networks for domains that incorporated certain suspicious keywords. Armed with these initial discoveries, our researchers were able to pivot to other domains belonging to the same registrant organization, CryptDesignBot. Further open-source intelligence enriched our findings and provided greater context, leading us to uncover additional data linked to the ongoing compromise of Youtube channels.

As we mentioned above, the actor or actors behind the creation of these malicious domains initially registered them under an organization that goes by the name of CryptDesignBot. A simple whois query on these domain names revealed that the registrant country is Russia. As we monitored the domains we found during our investigation, we noticed that many of them were frequently changing registrars. It’s quite common for threat actors to try to conceal information about the domain’s creation, especially if they suspect that security researchers could use it to block the domains or identify the perpetrators.

Also, it is important to note that these domains are lookalike domains. Lookalikes are domains created to look like legitimate domains: this kind of threat is common among cybercriminals, and Infoblox recently published a thorough whitepaper on the threat landscape for lookalikes over the last year: https://www.infoblox.com/resources/whitepaper/infoblox-report-deep3r-look-at-lookal1ke-attacks

Hacked Youtube Channels
Hacked Youtube channels are a profitable platform for threat actors to exploit famous brands for nefarious purposes. Typically, they first remove the channel’s legitimate videos and change their name and profile picture. They then host a “Livestream” event promoting their scam crypto domains. Despite being promoted as a “Livestream,” these events often just replay old videos.

Threat actors can gain unauthorized access to Youtube channels by using viruses or malware tools to steal the cookie that the victim’s browser generates to keep a user logged in. With the cookie, malware like YTStealer1 can access the victim’s account without their login credentials or two-factor authentication. YTStealer targets Youtube channels and extracts authentication cookies using session hijacking techniques, which enable attackers to gain unauthorized access to the account.

Despite the malware’s ability to persist on the victim’s endpoint for a prolonged period, many threat actors choose a non-persistent approach to reduce the chances of detection and minimize the number of artifacts left on the infected host. This also makes it more challenging to detect the breach later. It’s worth noting that the malware is capable of stealing passwords and cookies, and incorporates several anti-sandboxing techniques, including using enlarged files, IP cloaking during downloads, and encrypted archives. In some cases, the malware even displays a false error message, which forces the user to click through to continue execution.

Web applications use session cookies to provide a personalized browsing experience and monitor user activity. These cookies are active until the user logs out and are often sent over insecure connections to the server. If session cookies are not secure, it is relatively easy for threat actors to discover and steal them through an actor-in-the-middle attack. Once they have gained access to a session cookie, threat actors can bypass multi-factor authentication.

The Enticing Crypto Call to Action – Double Your Money
In the spirit of an Old School RuneScape scam, some of these cryptocurrency scam domains we discovered claim to double your cryptocurrency. For those that may not recall, Old School RuneScape (OSRS) is a massively multiplayer online role-playing game by Jagex and has a large community that is sometimes targeted by scammers. In one particular OSRS scam, the actor offers to double the target’s money and demonstrates this with a small amount. However, once the actor receives a larger amount from the victim, they vanish without a trace.

Those who visit double-ethereum[.]info and other related domains in the cluster we discovered may find that history repeats itself. The domains frequently use keywords associated with well-known people and brands such as Elon Musk, Kanye West, Andrew Tate, Tesla, Adidas, and others. When reviewing many of these domains, we observed that Elon Musk and Tesla were common themes.

A Youtube video from the security researcher John Hammond at HuntressLabs goes into detail about this trending scam and provides other examples. In a moment of deja vu for us (timestamp 10:30 in the video) John shows a domain that surprisingly has the same exact site content as the screenshot above. Validation is welcome!

Prevention and Mitigation
Our threat researchers have identified numerous domains as suspicious. Some of them were detected earlier as suspicious new domains or lookalikes by our threat detection tools and were automatically blocked, providing protection for customers who use these feeds against likely harmful sites. The rest were added to our feeds by our team during the research. We recommend that organizations that are not customers of BloxOne Threat Defense add the indicators of compromise (IOCs) from this advisory to their blocklists manually or via our GitHub repository infobloxopen/threat-intelligence.2

Generally speaking, to prevent such types of attacks, it is important to implement measures that can protect against these threats. These may include:

Protective DNS.
The National Security Agency (NSA) recommends implementing this security control because it allows defenders to use threat intelligence data to block communication both to known malicious websites and threat actors, as well as those suspected as malicious. It can stop many of the most advanced malware tools and threat actors from establishing the communication that is essential to their attack chains. Protective DNS brings the ability to analyze, and be alerted to, DNS requests made to blocked domains. This information can then be incorporated into a Security Information and Event Management (SIEM) platform, allowing for effective investigation of incidents. DNS logging is an important and integral part of the monitoring process.

Secure cookies.
These direct the browser to only send cookies to the server when connecting through SSL, thereby preventing cookies from being observed and captured by unauthorized parties during transmission.

HyperText Transfer Protocol Secure (HTTPS).
This can prevent attackers from intercepting session IDs, authentication cookies, and other sensitive information.

Random session IDs.
Configure applications to generate random session IDs to prevent an attacker from guessing a user’s session ID.

Session timeouts.
Configure applications and system-level controls to automatically log out users after a certain period of inactivity and