Date: 09/25/2024
Severity: High
Summary
Criminals continue to exploit Facebook's Libra cryptocurrency to promote fraudulent investment schemes. Originally called Libra, this cryptocurrency was ultimately canceled before its intended launch in 2020. The campaign features archival footage of Mark Zuckerberg testifying about Libra in the US Congress. This demonstrates that attackers can leverage a celebrity's likeness in scams without relying on generative AI or deepfake technology.
Indicators of Compromise (IOC) List
Domains\URLs | daro.chimmato.top jok.chimmato.top yos.chimmato.top pwalib.colgoinf.online cosmicawareness.website crisisecho.click 1.czopenprof.xyz mei.dr-ef.xyz mer.dr-ef.xyz met.dr-ef.xyz mey.dr-ef.xyz kiu.gaszosakaii.top meu.goelin.top mew.goelin.top 1.headprroof.com vvw.headprroof.com company.lifeet.live fadgy.lifeet.live fads.lifeet.live mondw.lifeet.live newdas.lifeet.live mertton.xyz abota.mertton.xyz bota.mertton.xyz boti.mertton.xyz lidiks.mertton.xyz lidzav.mertton.xyz melion.mertton.xyz payblog.mertton.xyz kcu.monaccode.live vfc.monaccode.live cepsreaction11.newstriy.top cepsreactionskab.newstriy.top storsokr.newstriy.top amid.otkroyempravdu.site blago.otkroyempravdu.site blon.otkroyempravdu.site blondi.otkroyempravdu.site gain.otkroyempravdu.site people.otkroyempravdu.site well.otkroyempravdu.site libra.peoplepro.xyz businich.sclopi.com bol.sitiizens-program.live call.sitiizens-program.live kow.sitiizens-program.live wahl.sitiizens-program.live wwv.stalhred.com topsmarteuruich.cfg |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Domains\URLs 1: | userdomainname like "libra.peoplepro.xyz" or url like "libra.peoplepro.xyz" or userdomainname like "blondi.otkroyempravdu.site" or url like "blondi.otkroyempravdu.site" or userdomainname like "call.sitiizens-program.live" or url like "call.sitiizens-program.live" or userdomainname like "vfc.monaccode.live" or url like "vfc.monaccode.live" or userdomainname like "storsokr.newstriy.top" or url like "storsokr.newstriy.top" or userdomainname like "mertton.xyz" or url like "mertton.xyz" or userdomainname like "lidzav.mertton.xyz" or url like "lidzav.mertton.xyz" or userdomainname like "kiu.gaszosakaii.top" or url like "kiu.gaszosakaii.top" or userdomainname like "payblog.mertton.xyz" or url like "payblog.mertton.xyz" or userdomainname like "1.czopenprof.xyz" or url like "1.czopenprof.xyz" or userdomainname like "abota.mertton.xyz" or url like "abota.mertton.xyz" or userdomainname like "melion.mertton.xyz" or url like "melion.mertton.xyz" or userdomainname like "yos.chimmato.top" or url like "yos.chimmato.top" |
Domains\URLs 2: | userdomainname like "daro.chimmato.top" or url like "daro.chimmato.top" or userdomainname like "jok.chimmato.top" or url like "jok.chimmato.top" or userdomainname like "pwalib.colgoinf.online" or url like "pwalib.colgoinf.online" or userdomainname like "cosmicawareness.website" or url like "cosmicawareness.website" or userdomainname like "crisisecho.click" or url like "crisisecho.click" or userdomainname like "mei.dr-ef.xyz" or url like "mei.dr-ef.xyz" or userdomainname like "mer.dr-ef.xyz" or url like "mer.dr-ef.xyz" or userdomainname like "met.dr-ef.xyz" or url like "met.dr-ef.xyz" or userdomainname like "mey.dr-ef.xyz" or url like "mey.dr-ef.xyz" or userdomainname like "meu.goelin.top" or url like "meu.goelin.top" or userdomainname like "mew.goelin.top" or url like "mew.goelin.top" or userdomainname like "1.headprroof.com" or url like "1.headprroof.com" or userdomainname like "vvw.headprroof.com" or url like "vvw.headprroof.com" or userdomainname like "company.lifeet.live" or url like "company.lifeet.live" or userdomainname like "fadgy.lifeet.live" or url like "fadgy.lifeet.live" or userdomainname like "mondw.lifeet.live" or url like "mondw.lifeet.live" or userdomainname like "newdas.lifeet.live" or url like "newdas.lifeet.live" or userdomainname like "bota.mertton.xyz" or url like "bota.mertton.xyz" or userdomainname like "boti.mertton.xyz" or url like "boti.mertton.xyz" or userdomainname like "lidiks.mertton.xyz" or url like "lidiks.mertton.xyz" or userdomainname like "kcu.monaccode.live" or url like "kcu.monaccode.live" or userdomainname like "cepsreaction11.newstriy.top" or url like "cepsreaction11.newstriy.top" or userdomainname like "cepsreactionskab.newstriy.top" or url like "cepsreactionskab.newstriy.top" or userdomainname like "amid.otkroyempravdu.site" or url like "amid.otkroyempravdu.site" or userdomainname like "blago.otkroyempravdu.site" or url like "blago.otkroyempravdu.site" or userdomainname like "blon.otkroyempravdu.site" or url like "blon.otkroyempravdu.site" or userdomainname like "gain.otkroyempravdu.site" or url like "gain.otkroyempravdu.site" or userdomainname like "people.otkroyempravdu.site" or url like "people.otkroyempravdu.site" or userdomainname like "well.otkroyempravdu.site" or url like "well.otkroyempravdu.site" or userdomainname like "businich.sclopi.com" or url like "businich.sclopi.com" or userdomainname like "bol.sitiizens-program.live" or url like "bol.sitiizens-program.live" or userdomainname like "kow.sitiizens-program.live" or url like "kow.sitiizens-program.live" or userdomainname like "wahl.sitiizens-program.live" or url like "wahl.sitiizens-program.live" or userdomainname like "wwv.stalhred.com" or url like "wwv.stalhred.com" or userdomainname like "topsmarteuruich.cfg" or url like "topsmarteuruich.cfg" |
Reference:
https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-09-24-IOCs-for-Libra-themed-investment-scam.txt