Date: 10/28/2024
Severity: Medium
Summary
The "TEMU Work Platform" is a cryptocurrency investment scam that has been active since July 2024. It gained significant attention with a spike in traffic starting October 15, 2024. The scam involves multiple stockpiled domains that host visually identical mobile-friendly versions of the platform. Registration requires a referral code, but it allows any input, including "0." All domains share the same backend service, enabling accounts created on one site to be used across others. The campaign is tracked as phishing_temuwork_platform.
Indicators of Compromise (IOC) List
URL/Domain | pmotu-301.com bmotu-289.com cawotu-209.com cawotu-739.com mar-work254.com cawotu-146.com pmotu-892.com cawotu-639.com pmotu-408.com pmotu-591.com cawotu-162.com cawotu-705.com pmotu-807.com bmotu-279.com bmotu-942.com bmotu-137.com bmotu-865.com mar-work304.com bmotu-602.com bmotu-624.com bmotu-308.com pmotu-084.com pmotu-146.com cawotu-867.com cawotu-248.com cawotu-670.com bmotu-859.com pmotu-792.com bmotu-304.com cawotu-726.com pmotu-894.com pmotu-921.com bmotu-935.com pmotu-769.com pmotu-721.com bmotu-017.com cawotu-683.com bmotu-419.com bmotu-562.com bmotu-583.com bmotu-587.com bmotu-590.com bmotu-784.com bmotu-967.com cawotu-250.com cawotu-349.com cawotu-380.com cawotu-534.com cawotu-671.com cawotu-785.com cawotu-975.com mar-work829.com mar-work840.com pmotu-412.com pmotu-493.com pmotu-803.com dnxmq.shop ebgkm.shop kcyiw.shop |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | userdomainname like "pmotu-301.com" or url like "pmotu-301.com" or userdomainname like "bmotu-289.com" or url like "bmotu-289.com" or userdomainname like "cawotu-209.com" or url like "cawotu-209.com" or userdomainname like "cawotu-739.com" or url like "cawotu-739.com" or userdomainname like "mar-work254.com" or url like "mar-work254.com" or userdomainname like "cawotu-146.com" or url like "cawotu-146.com" or userdomainname like "pmotu-892.com" or url like "pmotu-892.com" or userdomainname like "cawotu-639.com" or url like "cawotu-639.com" or userdomainname like "pmotu-408.com" or url like "pmotu-408.com" or userdomainname like "pmotu-591.com" or url like "pmotu-591.com" or userdomainname like "cawotu-162.com" or url like "cawotu-162.com" or userdomainname like "cawotu-705.com" or url like "cawotu-705.com" or userdomainname like "pmotu-807.com" or url like "pmotu-807.com" or userdomainname like "bmotu-279.com" or url like "bmotu-279.com" or userdomainname like "bmotu-942.com" or url like "bmotu-942.com" or userdomainname like "bmotu-137.com" or url like "bmotu-137.com" or userdomainname like "bmotu-865.com" or url like "bmotu-865.com" or userdomainname like "mar-work304.com" or url like "mar-work304.com" or userdomainname like "bmotu-602.com" or url like "bmotu-602.com" or userdomainname like "bmotu-624.com" or url like "bmotu-624.com" or userdomainname like "bmotu-308.com" or url like "bmotu-308.com" or userdomainname like "pmotu-084.com" or url like "pmotu-084.com" or userdomainname like "pmotu-146.com" or url like "pmotu-146.com" or userdomainname like "cawotu-867.com" or url like "cawotu-867.com" or userdomainname like "cawotu-248.com" or url like "cawotu-248.com" or userdomainname like "cawotu-670.com" or url like "cawotu-670.com" or userdomainname like "bmotu-859.com" or url like "bmotu-859.com" or userdomainname like "pmotu-792.com" or url like "pmotu-792.com" or userdomainname like "bmotu-304.com" or url like "bmotu-304.com" or userdomainname like "cawotu-726.com" or url like "cawotu-726.com" or userdomainname like "pmotu-894.com" or url like "pmotu-894.com" or userdomainname like "pmotu-921.com" or url like "pmotu-921.com" or userdomainname like "bmotu-935.com" or url like "bmotu-935.com" or userdomainname like "pmotu-769.com" or url like "pmotu-769.com" or userdomainname like "pmotu-721.com" or url like "pmotu-721.com" or userdomainname like "bmotu-017.com" or url like "bmotu-017.com" or userdomainname like "cawotu-683.com" or url like "cawotu-683.com" or userdomainname like "bmotu-419.com" or url like "bmotu-419.com" or userdomainname like "bmotu-562.com" or url like "bmotu-562.com" or userdomainname like "bmotu-583.com" or url like "bmotu-583.com" or userdomainname like "bmotu-587.com" or url like "bmotu-587.com" or userdomainname like "bmotu-590.com" or url like "bmotu-701.com" or userdomainname like "bmotu-784.com" or url like "bmotu-784.com" or userdomainname like "bmotu-967.com" or url like "bmotu-967.com" or userdomainname like "cawotu-250.com" or url like "cawotu-250.com" or userdomainname like "cawotu-349.com" or url like "cawotu-349.com" or userdomainname like "cawotu-380.com" or url like "cawotu-380.com" or userdomainname like "cawotu-534.com" or url like "cawotu-534.com" or userdomainname like "cawotu-671.com" or url like "cawotu-671.com" or userdomainname like "cawotu-785.com" or url like "cawotu-785.com" or userdomainname like "cawotu-975.com" or url like "cawotu-975.com" or userdomainname like "mar-work829.com" or url like "mar-work829.com" or userdomainname like "mar-work840.com" or url like "mar-work840.com" or userdomainname like "pmotu-412.com" or url like "pmotu-412.com" or userdomainname like "pmotu-493.com" or url like "pmotu-493.com" or userdomainname like "pmotu-803.com" or url like "pmotu-803.com" or userdomainname like "dnxmq.shop" or url like "dnxmq.shop" or userdomainname like "ebgkm.shop" or url like "ebgkm.shop" or userdomainname like "kcyiw.shop" or url like "kcyiw.sh" |
Reference:
https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-10-24-IOCs-for-crypto-investment-scam.txt