1/
With #P2E's popularity, threat actors are leveraging on the fact that excited players are ready to jump on board to test the new game (and earn at the same time).
Here's a 🧵about a #Redline stealer #malware from a "project" that recently launched a "beta test"
2/
I came across @DheerajShah_'s thread about how he was almost hacked, and one of the commenters caught my eye.
@_Starkcrypto shared that he was compromised by a project claiming to be a "p2e beta testing"
https://t.co/M1daLjbsKU
3/
That project is @rworldp2e (now @R_WorldP2E). As they were called out by Stark, the account changed the username lol. Here's the ID though: 1467094027480625155
It is an impersonation of the original project called @ReptileChronic @R_chronicls
4/
@R_WorldP2E's shared a scam domain claiming to host the game's beta.
☣/reptileworldp2e.com
/reptileworldp2e.com/ReptileWorld_P2E_0.7.3b.rar
🌐@regru 31.31.196.45
5/
Upon unpacking the rar file, a password-locked rar file and a Readme.txt is given which contains the password.
The second rar file, contains the so-called beta game. It looks convincing as it contains the libraries and other files to run a "legitimate" game.
6/
Running the ReptileWorld_Launcher_Setup.exe and granting the admin permission is the start of the #Redline stealer #malware.
It begins to crawl on the victim's files to steal browser data, which also contains the Metamask vault files: metamask.zendesk.com/hc/en-us/artic…
7/
The stolen data is then exfiltrated to a command and control server (C&C) for the threat actors to check your data and begin their devious acts. And one example is stealing your digital assets, which is what @_Starkcrypto experienced.
8/
Interestingly, it is the same C&C used for a fake @rStellaFantasy, which is a #P2E project as well.
The botnet value for the fake stella fantasy was "07.06", and "29.06" for reptile chronicles. This is very likely the starting date of the campaign.
9/
How do you protect yourself against this?
- Use a hardware wallet
- Don't download and run shady files, especially if there's no established trust from multiple users who are eager to play the game. The testimonials may be bottled, so verify it on various sources, ask a lot.
10/
#Redline stealer #malware IOCs
initial rar: 557d8f41efbdec0435d9cf5f001f0d8a
bazaar.abuse.ch/sample/6dcb56e…
second rar: 557d8f41efbdec0435d9cf5f001f0d8a
pw: RW073
bazaar.abuse.ch/sample/33c1246…
C&C: 193.124.22[.]17:23520
@JAMESWT_MHT @malwrhunterteam @dubstard @sniko_ @ActorExpose
Meant to say botted here...when edit button 😢
@JAMESWT_MHT @malwrhunterteam @dubstard @sniko_ @ActorExpose yikes, copied the MD5 hash of the 1st rar to the 2nd one...should be:
second rar: 0678a21c1105c84324861ed03508c0eb
pw: RW073
bazaar.abuse.ch/sample/33c1246…
exe only: bazaar.abuse.ch/sample/7ee8966…
#Redline stealer #malware
Share this Scrolly Tale with your friends.
A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.