Full Report
From BPH to massive malicious Crypto Exchange Infrastrcutre
Analysis Summary
# Threat Actor: Undetermined Actor(s) Associated with Massive Malicious Crypto Exchange Infrastructure (Potentially Ukrainian Scammers)
## Attribution & Identity
Attribution is uncertain ("based on the info WE have, can’t really attribute anything to anyone"). A Russian scam report vaguely attributes an attack involving "Yukitale" & "cryptavex" to "advanced Ukrainian scammers(?)". The analysis focuses on infrastructure originating from Prospero's network (AS `200593`), a known Bullet Proof Hosting (BPH) provider.
## Activity Summary
The activity involves the deployment of massive, fresh infrastructure used for widespread phishing campaigns, with a significant focus on cryptocurrency exchange impersonation. The infrastructure spans multiple Autonomous System Numbers (ASNs) beyond Prospero's network. The campaign is highly coordinated, utilizing identical page designs and the Binance API to pull current prices for localized scam sites.
## Tactics, Techniques & Procedures
- **Infrastructure setup:** Utilizing Bullet Proof Hosting (BPH) providers (e.g., AS `200593` belonging to Prospero).
- **Phishing Deployment:** Hosting numerous phishing domains across synchronized IPs.
- **Impersonation:** Direct impersonation of Cryptocurrency Exchanges (e.g., "Yukitale," "cryptavex"), often pulling live pricing data via public APIs (Binance API) to increase legitimacy.
- **Web Server Fingerprinting:** Use of standard control panel pages for initial deployment/staging (Plesk, FASTPANEL).
- **TTPs inferred from headers/structure:**
- Host URL Path: `/login_up.php`
- HTTP Response Codes: `200 OK`
- Web Server Signatures: Plesk Obsidian, FASTPANEL.
- JARM Hashes observed: `29d29d00029d29d00042d42d0000002059a3b916699461c5923779b77cf06b`, `29d29d00029d29d00042d42d00000000f78d2dc0ce6e5bbc5b8149a4872356`
## Targeting
- **Sectors:** Cryptocurrency (primary focus), potentially encompassing themes found in secondary phishing infrastructure: Streaming/Video (Netflix), Banking, Shipping & Logistics.
- **Geography:** Not explicitly stated for victims, but the infrastructure is global, spanning multiple ASNs.
- **Victims:** Organizations/users targeted via impersonations of cryptocurrency exchanges ("Yukitale," "cryptavex") and other major service providers (Crypto, Netflix, Banking).
## Tools & Infrastructure
- **Infrastructure Components:**
- AS `200593` (Prospero BPH)
- IP Blocks: `91.202.233.0/24`, `91.215.85.0/24`
- Infrastructure clusters noted using Plesk pages and FASTPANEL pages.
- **Malware Families Used:** Not explicitly named, but the primary artifact is phishing website content deployed via web servers.
- **Infrastructure Signatures (Used for hunting):**
- Header Hash: `a9a3fc8fbb20598112c8`
- Banner Hash: `55e090957d46b51d03547dba1763cdf0`
- **Example Phishing Domains (Defanged):**
- `trusted-fastbtc[.]top`
- `neifiixapp[.]com`
- `sweedbank-help[.]com`
- `transport-mondiairelay[.]com`
## Implications
This represents a large, well-resourced, and non-centralized threat operation focused on financial theft via cryptocurrency exchange scams. The actors demonstrate strong operational security by distributing their infrastructure across multiple ASNs and using fresh (unreported) infrastructure, indicating a high probability of success in initial intrusion attempts against targeted users. The use of shared hosting control panels (Plesk/FASTPANEL) across different clusters suggests standard tooling is being deployed rapidly across new infrastructure.
## Mitigations
- **Infrastructure Monitoring:** Utilize IOCs (IP ranges, Header Hashes, Banner Hashes) identified in this analysis to proactively scan external networks for similar setups.
- **Threat Hunting:** Hunt across ASNs that serve as alternative hosting sites outside of the initial Prospero discovery.
- **User Education:** Increase vigilance regarding login pages for cryptocurrency exchanges, advising users to check domain names carefully and be suspicious of sites polling live market data without direct user interaction.
- **WAF/Network Filtering:** Implement WAF rules or network egress filtering based on known phishing domains and suspected hosting providers/IP spaces identified.