As of 2024, more than 560 million people own cryptocurrencies worldwide, which could translate to more than half a million potential cyber attack victims. This widespread adoption may explain the emergence of threats like Hidden Risk, a malicious campaign that uses fake crypto news to distribute the RustBucket malware.
SentinelLabs published an in-depth investigation of the Hidden Risk campaign and identified 86 indicators of compromise (IoCs) related to the payload — RustBucket.
The attack began with phishing attempts targeting crypto-related businesses. Victims were tricked into downloading a dropper with RustBucket as a payload. The SentinelLabs researchers believed the campaign began as early as July 2024 and used fake news about cryptocurrency-related topics.
The WhoisXML API research team handpicked 81 of the IoCs, specifically 44 domains, 27 subdomains, and 10 IP addresses, for an expansion analysis. Our DNS deep dive led to the discovery of:
A sample of the additional artifacts obtained from our analysis is available for download from our website.
We began our analysis with a bulk WHOIS lookup for the 44 domains tagged as IoCs, which found that:
A query on DNS Chronicle API for the 44 domains tagged as IoCs showed that 34 had resolved to at least one IP address in the past. Overall, they resolved to 537 IP addresses between 2019 and 2024. Here are five examples with historical DNS data.
A bulk IP geolocation lookup for the 10 IP addresses tagged as IoCs yielded these results:
A query on DNS Chronicle API for the 10 IP addresses tagged as IoCs revealed that all resolved at least two domains in the past. Overall, they resolved 1,717 domains between 2019 and 2024. Take a look at three examples below.
We began our search for connected threat artifacts with a WHOIS History API query for the 44 domains tagged as IoCs. The results showed that they had 30 email addresses in their historical WHOIS records. Seven of the email addresses were public.
A Reverse WHOIS API query for the seven public email addresses yielded results for four although one may belong to a domainer, given the large number of connected domains. Excluding results for that potential domainer, we obtained 40 email-connected domains after filtering out duplicates and the IoCs.
Next, a DNS Lookup API query for the 44 domains tagged as IoCs provided us with 14 additional IP addresses after removing duplicates and the IoCs.
A Threat Intelligence API query for the 14 additional IP addresses revealed that 13 have already figured in malicious campaigns.
This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.
