1/
With #P2E's popularity, threat actors are leveraging on the fact that excited players are ready to jump on board to test the new game (and earn at the same time).
Here's a 🧵about a #Redline stealer #malware from a "project" that recently launched a "beta test"
With #P2E's popularity, threat actors are leveraging on the fact that excited players are ready to jump on board to test the new game (and earn at the same time).
Here's a 🧵about a #Redline stealer #malware from a "project" that recently launched a "beta test"
2/
I came across @DheerajShah_'s thread about how he was almost hacked, and one of the commenters caught my eye.
@_Starkcrypto shared that he was compromised by a project claiming to be a "p2e beta testing"
https://t.co/M1daLjbsKU
I came across @DheerajShah_'s thread about how he was almost hacked, and one of the commenters caught my eye.
@_Starkcrypto shared that he was compromised by a project claiming to be a "p2e beta testing"
https://twitter.com/_Starkcrypto/status/1542586718099873793
https://t.co/M1daLjbsKU
3/
That project is @rworldp2e (now @R_WorldP2E). As they were called out by Stark, the account changed the username lol. Here's the ID though: 1467094027480625155
It is an impersonation of the original project called @ReptileChronic @R_chronicls
That project is @rworldp2e (now @R_WorldP2E). As they were called out by Stark, the account changed the username lol. Here's the ID though: 1467094027480625155
It is an impersonation of the original project called @ReptileChronic @R_chronicls
https://twitter.com/1467094027480625155/status/1541683289169313794
4/
@R_WorldP2E's shared a scam domain claiming to host the game's beta.
☣/reptileworldp2e.com
/reptileworldp2e.com/ReptileWorld_P2E_0.7.3b.rar
🌐@regru 31.31.196.45
@R_WorldP2E's shared a scam domain claiming to host the game's beta.
☣/reptileworldp2e.com
/reptileworldp2e.com/ReptileWorld_P2E_0.7.3b.rar
🌐@regru 31.31.196.45
5/
Upon unpacking the rar file, a password-locked rar file and a Readme.txt is given which contains the password.
The second rar file, contains the so-called beta game. It looks convincing as it contains the libraries and other files to run a "legitimate" game.
Upon unpacking the rar file, a password-locked rar file and a Readme.txt is given which contains the password.
The second rar file, contains the so-called beta game. It looks convincing as it contains the libraries and other files to run a "legitimate" game.
6/
Running the ReptileWorld_Launcher_Setup.exe and granting the admin permission is the start of the #Redline stealer #malware.
It begins to crawl on the victim's files to steal browser data, which also contains the Metamask vault files: metamask.zendesk.com/hc/en-us/artic…
Running the ReptileWorld_Launcher_Setup.exe and granting the admin permission is the start of the #Redline stealer #malware.
It begins to crawl on the victim's files to steal browser data, which also contains the Metamask vault files: metamask.zendesk.com/hc/en-us/artic…
7/
The stolen data is then exfiltrated to a command and control server (C&C) for the threat actors to check your data and begin their devious acts. And one example is stealing your digital assets, which is what @_Starkcrypto experienced.
The stolen data is then exfiltrated to a command and control server (C&C) for the threat actors to check your data and begin their devious acts. And one example is stealing your digital assets, which is what @_Starkcrypto experienced.
8/
Interestingly, it is the same C&C used for a fake @rStellaFantasy, which is a #P2E project as well.
The botnet value for the fake stella fantasy was "07.06", and "29.06" for reptile chronicles. This is very likely the starting date of the campaign.
Interestingly, it is the same C&C used for a fake @rStellaFantasy, which is a #P2E project as well.
The botnet value for the fake stella fantasy was "07.06", and "29.06" for reptile chronicles. This is very likely the starting date of the campaign.
https://twitter.com/Iamdeadlyz/status/1536327525143814144
9/
How do you protect yourself against this?
- Use a hardware wallet
- Don't download and run shady files, especially if there's no established trust from multiple users who are eager to play the game. The testimonials may be bottled, so verify it on various sources, ask a lot.
How do you protect yourself against this?
- Use a hardware wallet
- Don't download and run shady files, especially if there's no established trust from multiple users who are eager to play the game. The testimonials may be bottled, so verify it on various sources, ask a lot.
10/
#Redline stealer #malware IOCs
initial rar: 557d8f41efbdec0435d9cf5f001f0d8a
bazaar.abuse.ch/sample/6dcb56e…
second rar: 557d8f41efbdec0435d9cf5f001f0d8a
pw: RW073
bazaar.abuse.ch/sample/33c1246…
C&C: 193.124.22[.]17:23520
@JAMESWT_MHT @malwrhunterteam @dubstard @sniko_ @ActorExpose
#Redline stealer #malware IOCs
initial rar: 557d8f41efbdec0435d9cf5f001f0d8a
bazaar.abuse.ch/sample/6dcb56e…
second rar: 557d8f41efbdec0435d9cf5f001f0d8a
pw: RW073
bazaar.abuse.ch/sample/33c1246…
C&C: 193.124.22[.]17:23520
@JAMESWT_MHT @malwrhunterteam @dubstard @sniko_ @ActorExpose
Meant to say botted here...when edit button 😢
@JAMESWT_MHT @malwrhunterteam @dubstard @sniko_ @ActorExpose yikes, copied the MD5 hash of the 1st rar to the 2nd one...should be:
second rar: 0678a21c1105c84324861ed03508c0eb
pw: RW073
bazaar.abuse.ch/sample/33c1246…
exe only: bazaar.abuse.ch/sample/7ee8966…
#Redline stealer #malware
second rar: 0678a21c1105c84324861ed03508c0eb
pw: RW073
bazaar.abuse.ch/sample/33c1246…
exe only: bazaar.abuse.ch/sample/7ee8966…
#Redline stealer #malware
• • •
Missing some Tweet in this thread? You can try to
force a refresh
