Block `Rilide Stealer` a banking and crypto drainer malware

[summercms]

Enhancement idea

• [x] Block Rilide Stealer a banking and crypto drainer malware.

Description

We have identified campaigns in the wild which we will examine in detail:

• The first Rilide campaign seems to target corporate users through the use of a PowerPoint phishing lure and a fake Palo Alto GlobalProtect plugin.
• The second campaign advertises fake P2E (Play To Earn) games using Twitter. A beta installer was found dropping Rilide and Redline Stealer.
• A third campaign from the last few days focuses on banking data of users in Australia and the UK, employing a unique method for loading extensions. Interestingly, we found that crypto token phishing sites from that campaign exclusively employed AngelDrainer scripts to steal cryptocurrencies from unsuspecting users' wallets. Further analysis revealed Twitter as a prominent distribution channel for these malicious activities.

During the investigation of Rilide's related domains and associated IP addresses, we discovered over 1,300 phishing websites impersonating various entities, including banks, government services, software companies, delivery services, and crypto token airdrops. Among these websites, several were found to be distributing harmful malware like BumbleBee, IceID or Phorpiex.

Targeting Summary

• Software: 102
• Cryptocurrencies: 75
• Banking: 66
• Postal and courier services: 51

Links

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/new-rilide-stealer-version-targets-banking-data-and-works-around-google-chrome-manifest-v3/

IOC

I2P websites

n/a

IPFS websites

n/a

Tor2web websites

n/a

TOR websites

n/a

URL's

n/a

Folders

n/a

Sub-Domains

n/a

Domains

bnbcoinstatic.com
blackfox.lol
eaougheofhuoaez.top
edd2ed2.online
ext-panel.website
extension-login.com
extensionsupdate.com
faugzeazdezgzgfm.top
frz-panel.su
getvoyagebox.org
hdoki.org
io-web.cc
lsadksajpenal.su
nightpredators.com
proyectopatentadomxapostol.com
pupkalazalupka.com
riotrevelry.com
silent-scale.com
tes123123t.com
web-lox.com

IP's

176.111.174.241
185.215.113.66
185.215.113.84
47.253.58.100
78.128.112.218
80.66.79.97
91.215.85.14

ASN's

n/a

Emails

n/a

Wallet addresses

n/a

Mining pool addresses

n/a