Phishing domains like coinbase-mywallet.com pose significant threats to users in the cryptocurrency and finance sectors by mimicking legitimate services to harvest sensitive information. This investigation reveals the domain’s connections to the APT40 threat group, showcasing the sophisticated infrastructure and tactics employed in these malicious operations. Affected: cryptocurrency sector, finance sector
Keypoints :
- coinbase-mywallet.com is a phishing domain targeting cryptocurrency and finance sectors.
- The domain was registered on January 16, 2025, using privacy protection.
- It utilizes a combination of cloud services and compromised servers for anonymity.
- Associated IPs include 172.67.69.97, 104.26.10.241, and 104.26.11.241.
- Malware linked to the domain includes a hash indicating malicious activity.
- APT40 is suspected to be behind the phishing campaign, known for targeting financial sectors.
- Phishing techniques include deceptive design and credential harvesting.
- The infrastructure is resilient, employing multiple command-and-control channels.
- Community reports have corroborated the connection to APT40.
- Proactive security measures and user education are essential to combat these threats.
MITRE Techniques :
- Phishing (T1566): The domain employs phishing emails and deceptive designs to harvest credentials.
- Command and Control (T1071): Utilizes multiple IPs for command-and-control operations.
- Credential Dumping (T1003): Captures usernames, passwords, and two-factor authentication codes through secure forms.
- Data Exfiltration (T1041): Steals sensitive user information from infected devices.
- Infrastructure Reuse (T1583): Reuses previously compromised assets for new campaigns.
Indicator of Compromise :
- [IP Address] 172.67.69.97
- [IP Address] 104.26.10.241
- [IP Address] 104.26.11.241
- [IP Address] 66.171.248.178
- [Domain] carder.bit
- Check the article for all found IoCs.