Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Block Rilide Stealer a banking and crypto drainer malware #473

Closed
1 task done
summercms opened this issue Mar 10, 2024 · 0 comments
Closed
1 task done

Block Rilide Stealer a banking and crypto drainer malware #473

summercms opened this issue Mar 10, 2024 · 0 comments
Labels
Code Update 🔔 Code Update enhancement 👍 New feature or request FINSIHED FINSIHED Priority: Medium Priority: Medium Testing - Passed Testing - Passed

Comments

@summercms
Copy link
Contributor

summercms commented Mar 10, 2024
edited
Loading

Enhancement idea

  • Block Rilide Stealer a banking and crypto drainer malware.

Description

We have identified campaigns in the wild which we will examine in detail:

  • The first Rilide campaign seems to target corporate users through the use of a PowerPoint phishing lure and a fake Palo Alto GlobalProtect plugin.
  • The second campaign advertises fake P2E (Play To Earn) games using Twitter. A beta installer was found dropping Rilide and Redline Stealer.
  • A third campaign from the last few days focuses on banking data of users in Australia and the UK, employing a unique method for loading extensions. Interestingly, we found that crypto token phishing sites from that campaign exclusively employed AngelDrainer scripts to steal cryptocurrencies from unsuspecting users' wallets. Further analysis revealed Twitter as a prominent distribution channel for these malicious activities.

During the investigation of Rilide's related domains and associated IP addresses, we discovered over 1,300 phishing websites impersonating various entities, including banks, government services, software companies, delivery services, and crypto token airdrops. Among these websites, several were found to be distributing harmful malware like BumbleBee, IceID or Phorpiex.

image

Targeting Summary

  • Software: 102
  • Cryptocurrencies: 75
  • Banking: 66
  • Postal and courier services: 51

Links

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/new-rilide-stealer-version-targets-banking-data-and-works-around-google-chrome-manifest-v3/

IOC

I2P websites

n/a

IPFS websites

n/a

Tor2web websites

n/a

TOR websites

n/a

URL's

n/a

Folders

n/a

Sub-Domains

n/a

Domains

bnbcoinstatic.com
blackfox.lol
eaougheofhuoaez.top
edd2ed2.online
ext-panel.website
extension-login.com
extensionsupdate.com
faugzeazdezgzgfm.top
frz-panel.su
getvoyagebox.org
hdoki.org
io-web.cc
lsadksajpenal.su
nightpredators.com
proyectopatentadomxapostol.com
pupkalazalupka.com
riotrevelry.com
silent-scale.com
tes123123t.com
web-lox.com

IP's

176.111.174.241
185.215.113.66
185.215.113.84
47.253.58.100
78.128.112.218
80.66.79.97
91.215.85.14

ASN's

n/a

Emails

n/a

Wallet addresses

n/a

Mining pool addresses

n/a
@summercms summercms added Code Update 🔔 Code Update In-progress In-progress Priority: Medium Priority: Medium enhancement 👍 New feature or request labels Mar 10, 2024
@summercms summercms mentioned this issue Mar 10, 2024
Merged
@summercms summercms added FINSIHED FINSIHED Testing - Passed Testing - Passed and removed In-progress In-progress labels Mar 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Code Update 🔔 Code Update enhancement 👍 New feature or request FINSIHED FINSIHED Priority: Medium Priority: Medium Testing - Passed Testing - Passed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@summercms