Full Report
Cybersecurity researchers have lifted the lid on two threat actors that orchestrate investment scams through spoofed celebrity endorsements and conceal their activity through traffic distribution systems (TDSes). The activity clusters have been codenamed Reckless Rabbit and Ruthless Rabbit by DNS threat intelligence firm Infoblox. The attacks have been observed to lure victims with bogus
Analysis Summary
# Threat Actor: Reckless Rabbit
## Attribution & Identity
- **Identification:** Threat actor discovered by DNS threat intelligence firm Infoblox.
- **Known Aliases/Associations:** Mentioned alongside Ruthless Rabbit, Prolific Puma, Revolver Rabbit, and VexTrio Viper as actors using Registered Domain Generation Algorithms (RDGA). Association with Nomani, or the group arrested in connection with cryptocurrency scams, is currently unconfirmed pending further analysis.
## Activity Summary
Reckless Rabbit orchestrates investment scams using spoofed celebrity endorsements advertised on social media (specifically Facebook).
- **Campaign Mechanism:** Creates Facebook advertisement content that mimics fake news articles featuring celebrity endorsements for a phony investment platform.
- **Timeline:** Observed creating domains as far back as April 2024.
- **Goal:** Lure victims to bogus platforms (e.g., cryptocurrency exchanges) via embedded web forms to collect personal data under the guise of "registering" for an investment opportunity. Victims who pass vetting are routed to the scam platform or instructed to await a call from a "representative" who guides them through depositing funds.
- **Evasion:** Ads are interspersed with legitimate-looking advertising content (e.g., Amazon items) and use decoy domains to evade detection and enforcement.
## Tactics, Techniques & Procedures
- **Social Media Malvertising:** Using platforms like Facebook to distribute ads leading to malicious content.
- **Web Form Phishing:** Utilizing embedded web forms to collect Personally Identifiable Information (PII) during the "registration" phase.
- **IP Geolocation Filtering:** Performing HTTP GET requests to legitimate IP validation tools (e.g., ipinfo\[.\]io, ipgeolocation\[.\]io, ipapi\[.\]co) to filter out traffic from unwanted geographies.
- **Data Validation:** Checking the authenticity of provided phone numbers and email addresses.
- **Traffic Distribution System (TDS) Use:** Routing successful targets through a TDS to either the final scam platform or a waiting page.
- **Registered Domain Generation Algorithm (RDGA):** Using a secret algorithm to register domain names for investment platforms, registering all domains rather than just checking for domain availability.
## Targeting
- **Sectors:** Financial services/Investment (fraudulent cryptocurrency exchanges).
- **Geography:** Primarily targets users in Russia, Romania, and Poland. Explicitly excludes traffic from Afghanistan, Somalia, Liberia, and Madagascar.
- **Victims:** Individual retail investors/users on social media platforms.
## Tools & Infrastructure
- **RDGA:** Utilized for domain name generation.
- **Validation Tools:** ipinfo\[.\]io, ipgeolocation\[.\]io, ipapi\[.\]co.
- **Infrastructure:** Uses a TDS for cloaking and hiding malicious content.
- **Malware Families Used:** Not explicitly named, but the operation relies on web forms and potentially call center infrastructure for social engineering.
- **Infrastructure (Defanged URLs/Domains):** Decoy domains like "amazon\[.\]pl" were used, pointing to actual scam domains like "tyxarai\[.\]org".
## Implications
Reckless Rabbit demonstrates a high degree of sophistication in modern investment scams by combining social engineering (celebrity endorsements, fake news) with technical evasions like IP filtering and RDGAs. The threat is likely ongoing and profitable, suggesting increased growth in volume and complexity.
## Mitigations
- **Ad Scrutiny:** Exercise extreme caution with investment advertisements found on social media, especially those promising high returns or featuring celebrity endorsements.
- **Domain Verification:** Verify that the domain linked in an advertisement matches the domain clicked; be wary of redirects or decoy domains.
- **Geolocation Defense Policies:** Organizations in targeted regions (Russia, Romania, Poland) should enhance network monitoring for traffic originating from or destined for known TDS infrastructure, although this actor primarily targets individual endpoints initially.
- **Credential Handling:** Be wary of web forms that request sensitive information (like auto-generated passwords) early in the registration process.
---
# Threat Actor: Ruthless Rabbit
## Attribution & Identity
- **Identification:** Threat actor discovered by DNS threat intelligence firm Infoblox.
- **Known Aliases/Associations:** Part of the investment scam threat landscape discussed alongside Reckless Rabbit.
## Activity Summary
Ruthless Rabbit runs investment scam campaigns focused on Eastern European users.
- **Timeline:** Actively running campaigns since at least November 2022.
- **Mechanism:** Victims are routed through validation checks, and successful users are urged to enter financial information on the fake investment platform.
## Tactics, Techniques & Procedures
- **Cloaking Service:** Operates its own cloaking service to perform validation checks instead of relying solely on external IP validation tools used by Reckless Rabbit.
- **Traffic Distribution System (TDS) Use:** Employs a TDS for infrastructure resilience and hiding malicious content.
- **Validation/Verification:** Performs checks before routing victims to the final investment platform.
## Targeting
- **Sectors:** Financial services/Investment (fraudulent platforms).
- **Geography:** Primarily targets Eastern European users.
- **Victims:** Individual retail investors/users.
## Tools & Infrastructure
- **Cloaking Service:** mcraftdb\[.\]tech
- **Infrastructure:** Utilizes a TDS.
## Implications
Ruthless Rabbit represents a persistent, long-running investment scam operation utilizing its own proprietary cloaking infrastructure, indicating a mature and well-resourced criminal enterprise.
## Mitigations
- **Infrastructure Monitoring:** Security teams should monitor for connection attempts to or from domains associated with the actor's cloaking service (mcraftdb\[.\]tech).
- **User Training:** Emphasize that legitimate financial institutions will not typically use proprietary cloaking services to validate user traffic.
---
*(Note: Summary also acknowledges the existence of other actors—Prolific Puma, Revolver Rabbit, VexTrio Viper—sharing the RDGA technique, and related scams like Nomani, but focuses the primary structure on Reckless Rabbit and Ruthless Rabbit as they were the central subjects of the analysis provided.)*