DNS Early Detection - Breaking the Fake WEB3 Gaming Kill Chain

Cybersecurity researchers have discovered a Russian cybercrime group using Fake Web3 Gaming themes to distribute malware. This malware is intended to steal information from Microsoft Windows and Apple macOS users.

In gaming, gamers and testers often receive financial incentive earnings as cryptocurrency. Threat actors use this to trick users into engagement. According to OSINT sources, these threat actors have created Web3 gaming projects that maliciously use well-known brands. The threat actors subtly alter the name of popular projects and leverage this across one or more counterfeit websites. Once the websites are in place, the threat actors create fake malicious social media entries that point to these malicious websites. They can also create fake malicious channels in messaging applications to provide even further reach. Once the victims are engaged, they are tricked into downloading malware by clicking malicious links on fake websites.

Open-source intelligence (OSINT) reports indicate that the malware utilized in this campaign includes Stealc, Rhadamanthys, RisePro, and the Atomic macOS Stealer (AMOS). Stealc, a Malware-as-a-Service (MaaS) infostealer, is built upon the foundations of the Raccoon, Mars, Vidar, and Redline stealers. AMOS operates by posting advertisements on Google that resemble legitimate ads. These infostealers are all different, and their dangerous capabilities continue to evolve.

To defend against these threats, it’s essential to identify and block potentially malicious activity as early as possible in the attack cycle. Infoblox’s DNS Early Detection Program uses proprietary techniques to identify potentially malicious domains quickly. We can detect these malicious domains early, long before they are available in Open Source Intelligence (OSINT) or commercial feeds as malicious. We flag these domains as SUSPICIOUS at the earliest stage and make them available for immediate blocking. By taking this proactive approach, defenders can stop attacks days, weeks, or even months before they appear in OSINT or threat intelligence feeds.

Infoblox’s DNS Early Detection Program uses proprietary techniques to identify potentially malicious domains quickly. Infoblox flags these domains as SUSPICIOUS so your defenders can automatically block them.

Threat actors continually adjust their techniques and often use malicious domains to launch damaging and dangerous attacks quickly. Once that link to a malicious domain is clicked, the Kill Chain can rapidly unfold to the detriment of the defenders. These malicious domains are often detected and shared too late by OSINT and threat intel feeds.

Our DNS Early Detection Program identifies and analyzes potentially harmful domains and cross-references our findings with public Open Source Intelligence (OSINT) data and commercial threat intelligence feeds. In this blog post, we delve into our analysis of domains flagged as malicious in OSINT, providing numerous instances of our proactive identification of these domains as suspicious.

Analysis and Methodology

Multiple OSINT publication sources released disclosures on Fake Web3 Gaming derived from a report by the INSIKT group, Recorded Future’s threat research division. The report was initially published on or about April 11, 2024, and 3rd party articles referencing this content continued over the following weeks. The cited report included IoCs and details in its analysis as of February 29, 2024.

Infoblox extracted malicious domains identified within these OSINT sources. The Infoblox team then analyzed the identified malicious domains to determine whether they had been identified earlier by our suspicious domain feeds.

Infoblox identified 71.43% of the Fake Web3 Gaming Campaign domains as SUSPICIOUS, an average of 115.4 days earlier than the availability in OSINT as MALICIOUS. Similarly, Infoblox identified many malicious domains within 2 to 3 days of their WHOIS registration. This enabled our customers to stop the execution of the intended Cyber Kill Chain¹ by automatically blocking access to these dangerous domains.

Our team researched each malicious domain identified in OSINT in the Infoblox Dossier portal. We reviewed our timeline feature to extract the earliest dates associated with Infoblox’s suspicious designation. We also extracted the WHOIS information for additional context.

The conclusions of our analysis illustrate the potential benefits of SUSPICIOUS domain feeds:

Infoblox identified 71.43% of the Fake Web3 Gaming domains as SUSPICIOUS, averaging 115.4 days (3.79 months) before the OSINT designation as MALICIOUS became available.
One of the malicious domains, blastl2[.]net was a Zero Day Detection by Infoblox Threat Intel – that is the domain was blocked as SUSPICIOUS on the same date of WHOIS registration.
Using our LOOKALIKE algorithms, Infoblox identified two additional potentially dangerous domains, playastration[.]com on 2.10.2024 and pythonanywhere[.]com on 6.4.2018. These turned out to be malicious and are being used by the Fake Web3 Gaming campaign.
Our DNS early detection program identifies suspicious domains weeks to months, as in this case, ahead of OSINT identification as malicious.
There is often an extended period of time from availability via OSINT to utilization by your cybersecurity ecosystem and defense-in-depth strategy. Infoblox designation of suspicious domains can link to automation to block them immediately.

OSINT publication dates may sometimes be unclear or lack precision. The dates of published articles by reputable 3rd parties may not always accurately reflect the OSINT availability of each domain. The critical point is that even if you have the OSINT data, it must propagate through the threat feeds you use and your cybersecurity ecosystem to support actionable policies. All of that is automated with Infoblox DNS Detection and Response (DNSDR) and our suspicious domain data.

Comparison to WHOIS Data

OSINT data release dates can always be debated. There is always a source you might have missed. But so did most of the vulnerable users out there!

Our analysis showed that Fake Web3 Gaming domains were blocked by Infoblox as SUSPICIOUS within an average of 3.6 days after the WHOIS domain registration date.

WHOIS data draws a line in the sand and gets you as close as possible to hard data. A comparison with WHOIS data tells you how your threat intelligence systems perform. We extracted WHOIS dates to provide context on the performance of our suspicious threat intel feeds. Fake Web3 Gaming domains were blocked by Infoblox as SUSPICIOUS within an average of 3.6 days after the WHOIS domain registration date. The WHOIS dates are relatively precise and provide another perspective on the high value and relative performance of suspicious DNS threat intel feed content.

One malicious domain, blastl2[.]net, was a Zero-Day Detection by Infoblox Threat Intel and was blocked as suspicious on the date of WHOIS registration. The above chart shows that the number of days the domain was identified as suspicious after the WHOIS date was zero.

The threat actors behind most campaigns have learned to continually create and change the domains they use to camouflage their malicious activities. Any key domains used in perpetuating the Fake Web3 Gaming campaigns may be shut down at any time and replaced with new infrastructure. Infoblox Early DNS Detection threat intel brings tangible advantages to your organization.

Improving Time to Value

Infoblox DNS Early Detection using our suspicious feeds can help your SOC identify and block potentially dangerous threats, such as Fake Web3 Gaming, faster. Infoblox Threat Intel’s proprietary technology can detect suspicious domains faster than the industry’s current methods.

Suspicious domain feeds provide a significant advantage in developing and using DNS threat intelligence information. With Infoblox’s suspicious domain data, security operations teams can get the timely information they need to prevent and counter new threats before they do any damage.

Infoblox DNS Early Detection using our suspicious feeds can help your SOC to identify and block potentially dangerous threats such as Blackcat ransomware faster. Infoblox Threat Intel proprietary technology can detect suspicious domains faster than the industry’s current methods. It can help protect your organization from a disastrous data breach.

Infoblox suspicious domain data is HIGH VALUE, can be used with relatively LOW EFFORT, and can SHRINK THE TIME TO VALUE, and INCREASE THE RETURN ON INVESTMENT for your threat intelligence program.

For Additional Information

Infoblox Threat Intel provides fast access to accurate, contextual threat alerts and reports from our real-time research teams. Suspicious Domains feeds were introduced as an Infoblox proprietary product on November 10, 2022, and, since then, have successfully provided many thousands of customers with the advanced information to block domains that ultimately become malicious long before most other threat intelligence sources identify them as malicious. Infoblox allows your team to leverage the high value of suspicious domain threat intelligence while ensuring a unified security policy across your entire security infrastructure. Infoblox threat data minimizes false positives, so you can be confident in what you are blocking.

To learn more about suspicious domains and DNS early detection:
https://www.infoblox.com/threat-intel/

To learn more about BloxOne Threat Defense:
https://www.infoblox.com/products/bloxone-threat-defense/

To learn more about Advanced DNS Protection:
https://www.infoblox.com/products/advanced-dns-protection/

To learn more about the National Security Agency (NSA) and Cybersecurity & Infrastructure Security Agency (CISA) guidance on Protective DNS:
https://media.defense.gov/2021/Mar/03/2002593055/-1/-1/0/CSI_PROTECTIVE%20DNS_UOO117652-21.PDF

OSINT sources on Fake Web3 Gaming included, but are not limited to: