Recently, a new and sophisticated DNS threat actor, identified as Savvy Seahorse, has emerged, adeptly exploiting various tactics to lure victims into fraudulent investment schemes. The primary modus operandi involves enticing individuals to register on false investment platforms, deposit funds into personal accounts, and then redirect those deposits to banks in Russia. This information was detailed in a report by Infoblox published last week.
The targets of these malicious campaigns are diverse, encompassing speakers of Russian, Polish, Italian, German, Czech, Turkish, French, Spanish, and English, indicating a broad and strategic outreach. Victims are primarily drawn in through deceptive advertising on popular social media platforms, most notably Facebook. Additionally, individuals are misled into providing personal information under the pretense of securing high-return investment opportunities through fake ChatGPT and WhatsApp bots.
The campaigns exhibit a clever use of DNS canonical name (CNAME) records, which create a traffic distribution system. This technique enables the perpetrators to evade detection effectively, a capability they have been leveraging since at least August 2021. A CNAME record connects one domain or subdomain to another instead of pointing directly to an IP address. This functionality allows for seamless updates to the root domain while minimizing visibility.
Savvy Seahorse proficiently exploits this mechanism by registering multiple transient subdomains that share a CNAME record and therefore an IP address. These subdomains are generated through a domain generation algorithm (DGA), which connects them to the main campaign domain. The volatile nature of these domains and IP addresses substantially enhances the resilience of their infrastructure, making it difficult for law enforcement to shut down their operations. As phishing sites are disrupted, threat actors can quickly create new domains or alter existing CNAME records.
While other threat actors, such as VexTrio, have utilized DNS in traffic distribution systems, this instance marks a novel application of CNAME records for similar purposes. Infoblox highlighted that victims who engage with the malicious links embedded in Facebook ads are often prompted to provide names, email addresses, and phone numbers, ultimately redirecting them to a counterfeit trading platform where they are expected to add funds.
Notably, these perpetrators implement measures to filter out traffic from certain countries, including Ukraine, India, Fiji, Tonga, Zambia, Afghanistan, and Moldova. The specific rationale behind excluding these nations remains unclear, but this practice suggests a calculating approach to target selection.
In the broader context of cybersecurity threats, Guardio Labs recently reported a significant increase in CNAME hijacking incidents, with numerous legitimate brands falling prey to this technique as part of spam propagation efforts. This escalation underscores the need for businesses to remain vigilant against emerging tactics that can exploit vulnerabilities within DNS configurations.
In summary, Savvy Seahorse exemplifies a sophisticated threat actor deploying advanced tactics focused on financial scams. By leveraging vulnerability in DNS configurations and targeting a wide array of victims, they underscore the increasing complexity and adaptability of cyber threats. Owners of businesses should closely monitor developments in cybersecurity, considering the resilience of such threat infrastructures as they navigate the evolving digital landscape.
