IronNet analyzes how the Robin Banks phishing-as-a-service platform has evolved to evade takedowns, relocate infrastructure to a Russian provider, and add features like cookie-stealing to bypass MFA. The study highlights how open-source code and off-the-shelf tools lower the barrier to entry for phishers and PhaaS operators, while attackers continually adapt to stay ahead of defenses. Hashtags: #RobinBanks #Adspect #Evilginx2 #DDOS_GUARD #IronNet #Cloudflare
Keypoints
- Cloudflare-disrupted Robin Banks phishing infrastructure, prompting relocation and evasive updates by operators.
- Robin Banks introduced a cookie-stealing feature to bypass MFA, sold as an add-on to the phishing kit.
- Platform relies heavily on open-source code and off-the-shelf tooling, signaling a low barrier-to-entry for PhaaS.
- Infrastructure moved to DDOS-GUARD (a Russian provider) with enhanced security measures, including 2FA for kit customers or Telegram delivery of phished data.
- Administrators created private Telegram channels; public exposure of communications occurred during internal disputes, and new domains (ironnet.click, ironpages.club) were registered in response to findings.
- Kit analysis reveals obfuscated PHP (ob.php) and use of Adspect, plus a new cookie-stealing workflow based on open-source Evilginx2 technology.
MITRE Techniques
- [T1566] Initial Access: Phishing β Robin Banks platform conducts phishing to target bank customers. βThreat actors using the Robin Banks platform conduct phishing.β
- [T1027] Obfuscated/Compressed Files and Information β The phishing kit contains obfuscated code (ob.php) configured via an open-source PHP obfuscator. βnot human-readable and were obfuscated using an open-source obfuscation script, PHP obfuscator.β
- [T1539] Steal Web Session Cookies β Cookie-stealing feature to bypass MFA using login session cookies, leveraging Evilginx2 as a basis. βadvertising its βown methodologyβ to bypass 2FA via the stealing of login session cookies.β
Indicators of Compromise
- [Domain] verify-fargo.info β sample phishing domain used to lure victims.
- [Domain] www.securebofa.online β sample phishing domain used to lure victims.
- [Domain] Suncoastportal.online β sample phishing domain used to lure victims.
- [Domain] Truistclientauth.com β sample phishing domain used to lure victims.
- [Domain] Authchecks.com β sample phishing domain used to lure victims.
- [Domain] 9dumbdomain1.ru β hosting domain observed in infrastructure.
- [Domain] 9dumbdomain2.ru β hosting domain observed in infrastructure.
- [Domain] dumb1.su β hosting domain observed in infrastructure.
- [IP] 185.38.142.28 β hosting server IP observed in infrastructure.
- [IP] 185.61.137.142 β hosting server IP observed in infrastructure.
- [Domain] ironnet.click β domain used in response to findings; redirect/hosting context.
- [Domain] ironpages.club β domain used to host phishing kit contents.
- [Domain] robinbanks.su β admin/content domain associated with Robin Banks.
- [Hash] 8ad780fea4e64463f292ed232cabc9032844334ae070a5090c60e6528f4a69e4 (robinbanks.zip)
- [Hash] c8f1876becaadd5c65c91e23d3755b6ab2a84c4dd66f702da657f02b17931dec (blacklist.txt)
- [Hash] 7355bfb6ab0e8e45615f7086091b043472568a9ae61ecb8c8d8f699df0c29956 (config.yaml)
- [Hash] 10d25dd902a46d9c50908390227d971ca2b9ddb782b88c60daed051e2f16c942 (Robinbanks binary β evilginx2)
- [URL] dfsajsk.php β landing page interaction path indicative of communications to the phishing landing page.
Read more: https://www.ironnet.com/blog/robin-banks-still-might-be-robbing-your-bank-part-2