[x] Block Rilide Stealer a banking and crypto drainer malware.
Description
We have identified campaigns in the wild which we will examine in detail:
The first Rilide campaign seems to target corporate users through the use of a PowerPoint phishing lure and a fake Palo Alto GlobalProtect plugin.
The second campaign advertises fake P2E (Play To Earn) games using Twitter. A beta installer was found dropping Rilide and Redline Stealer.
A third campaign from the last few days focuses on banking data of users in Australia and the UK, employing a unique method for loading extensions. Interestingly, we found that crypto token phishing sites from that campaign exclusively employed AngelDrainer scripts to steal cryptocurrencies from unsuspecting users' wallets. Further analysis revealed Twitter as a prominent distribution channel for these malicious activities.
During the investigation of Rilide's related domains and associated IP addresses, we discovered over 1,300 phishing websites impersonating various entities, including banks, government services, software companies, delivery services, and crypto token airdrops. Among these websites, several were found to be distributing harmful malware like BumbleBee, IceID or Phorpiex.
Enhancement idea
Rilide Stealer
a banking and crypto drainer malware.Description
We have identified campaigns in the wild which we will examine in detail:
During the investigation of Rilide's related domains and associated IP addresses, we discovered over 1,300 phishing websites impersonating various entities, including banks, government services, software companies, delivery services, and crypto token airdrops. Among these websites, several were found to be distributing harmful malware like
BumbleBee
,IceID
orPhorpiex
.Targeting Summary
Links
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/new-rilide-stealer-version-targets-banking-data-and-works-around-google-chrome-manifest-v3/
IOC
I2P websites
n/a
IPFS websites
n/a
Tor2web websites
n/a
TOR websites
n/a
URL's
n/a
Folders
n/a
Sub-Domains
n/a
Domains
IP's
ASN's
n/a
Emails
n/a
Wallet addresses
n/a
Mining pool addresses
n/a