Threat Research

Cyble – Threat Actors Targeting Fans Amid FIFA World Cup Fever

Securonix

Threat Actors are exploiting FIFA World Cup buzz to run a range of scams, including crypto phishing with fake NFT drops, fake FIFA-themed domains, WhatsApp-led scams, and broad malware campaigns. Cyble Research & Intelligence Labs (CRIL) documents multiple lure types and malware distributions targeting fans, urging cautious verification of sites and downloads.
#CRIL #Cyble #RedlineStealer #FIFA23 #Kora442 #PlaysKeep

Keypoints

  • Threat actors weaponize the FIFA World Cup fever with phishing sites and crypto scams offering fake NFT drops and crypto wallets.
  • Phishing sites such as football-blnance[.]com impersonate Binance to steal sensitive information via NFT offers, including a “Connect wallet” step.
  • WhatsApp and social media scams push a false “free 50GB data” offer tied to FIFA, guiding users to scam sites and wallet verification flows.
  • A YouTube-driven campaign distributed a cracked FIFA 23 game that bundled Redline Stealer, showing mass‑scale distribution of malware tied to the event.
  • The Android RAT campaign (“Kora 442”) uses a dedicated page to distribute a malicious app that harvests broad device data and exfiltrates it via C2.
  • CRIL lists multiple IOCs (hashes, URLs) associated with phishing domains, APKs, and C2 infrastructure, underscoring need for vigilant IOC monitoring.
  • Recommendations emphasize downloading from official stores, using security software, MFA, and user education to mitigate event-driven campaigns.

MITRE Techniques

  • [T1566] Phishing – Initial Access via fake FIFA-themed sites offering NFT rewards to steal credentials. Quoted: “…phishing sites … attempting to trick users into giving sensitive information by offering free Non-Fungible Tokens (NFTs).”
  • [T1204] User Execution – Execution when users click actions like “Connect wallet” leading to wallet compromise. Quoted: “When a user clicks on “Connect wallet” to claim the NFTs, the phishing site displays the QR code, and the user’s wallet account will be compromised upon scanning.”
  • [T1476] Deliver Malicious App via Other Means – Initial access by users downloading a malicious app disguised as FIFA content. Quoted: “The download link “hxxps://www[.]playskeep.com/fifa-23” hosted the Redline stealer masqueraded as FIFA 13 cracked game. When a user clicks on the “FREE DOWNLOAD” button, the malicious website starts downloading the “FIFA 23 [Cracked].rar” file …”
  • [T1071] Application Layer Protocol – Command and control over standard protocols; Quoted: “The malware fetches the C&C server URL from a variable ‘BBB’… saved in the Shared Preferences file ‘appPreferencess.xml’.”
  • [T1412] Capture SMS Messages – Data collection includes SMS; Quoted: “Contact list” and “SMS data” among other capabilities in the Android RAT list.
  • [T1432] Access Contacts List – Part of the data exfiltrated by Android RAT. Quoted: “Contact list” among other data.
  • [T1433] Access Call Logs – Part of the data exfiltrated by Android RAT. Quoted: “Call logs” among other data.
  • [T1517] Data from Local System – RAT can download payloads and exfiltrate local data; Quoted: “Download payload on runtime” and similar items in the data list.
  • [T1533] Capture Audio – Android RAT can capture audio as part of data theft; Quoted: “Capture Audio” in the data list.
  • [T1429] Data from Clipboard – Android RAT can access clipboard data; Quoted: “Clipboard data” in the list.
  • [T1555] Credentials from Password Stores – RAT may access stored credentials; Quoted: “Credentials from Password Stores” as part of data access list.
  • [T1528] Steal Web Session Cookies – RAT capable of stealing session tokens; Quoted: “Steal Web Session Cookies” among the list.
  • [T1124] System Time Discovery – Discovery of system time as part of reconnaissance. Quoted: “System Time Discovery” in the Discovery section.
  • [T1518] Software Discovery – Discovery of software on the device; Quoted: “Software Discovery.”
  • [T1007] System Service Discovery – Discovery of system services; Quoted: “System Service Discovery.”
  • [T1429] Data from Clipboard – See above.
  • [T1071] Application Layer Protocol – Reiterated for C2 channel usage as an item; Quoted: “Application Layer Protocol.”

Indicators of Compromise

  • [SHA256] 02cfa159f85e15bd24808859d6cbf1b8e8d21352e7290ba5477744f711bb752b, 629a4c31ae491844997dacde42e85f1a8d632a1b599281d498660b8d9cb36bdd – Hashes for malicious APK/RAR payloads.
  • [SHA1] 9c904c821edaff095e833ee342aedfcaac337e04, e5fa481e5590dd79b73ea483f987cc28afbc0ddb – Additional APK/RAR hashes.
  • [MD5] 6905fac52473837ed4c548915b5c65a3, c285987ec716c444fcd7d4c17bb2fc54 – More file hashes for associated samples.
  • [URL] hxxps://kora442[.].com – Android RAT distribution site referenced in the Facebook distribution chain.
  • [URL] hxxps://firebaseconnections[.]com/backendNew/public/api/ – C2-related endpoint cited in the Android RAT activity.
  • [SHA256] 629a4c31ae491844997dacde42e85f1a8d632a1b599281d498660b8d9cb36bdd – Redline Stealer payload hash (RAR).
  • [URL] hxxps://www.playskeep[.]com/fifa-23 – Malicious download site hosting FIFA 23 cracked game to deliver Redline Stealer.
  • [URL] football-blnance[.]com – Crypto phishing domain posing as NFT giveaways.
  • [URL] claim-fifa[.]live – Crypto phishing domain offering FIFA-related NFT packs.
  • [URL] hxxp://www.fifa-uj[.]top – WhatsApp scam site promising free data; links to verification flow.

Read more: https://blog.cyble.com/2022/12/09/threat-actors-targeting-fans-amid-fifa-world-cup-fever/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint