Riltok is a mobile banking Trojan that uses mobile phishing pages to steal credit card information from its victims. Discovered in 2018, Riltok started out solely attacking Russian targets, yet it quickly began attacking victims in other European countries as well. The Trojan is spread via malicious SMS messages, which contain links that direct the victims to a fake website posing as a popular free ad service.

Once on the website, victims are prompted to click and download the Trojan, disguised as the ad service’s mobile app. If downloaded, Riltok connects to its C&C server to exfiltrate device data, and opens a fake Google Play screen or phishing page in a browser, requesting the victim’s bank card details.

The ThreatSTOP Security and Research Team came across a SecureList report on the banking Trojan, and decided to look deeper in to the threat’s infrastructure. While analyzing the IoCs published in the report, our team noticed nine domains posing as “leboncoin,” a French ad service:

  • leboncoin-bk[.]top
  • leboncoin-buy[.]pw
  • leboncoin-cz[.]info
  • leboncoin-f[.]pw
  • leboncoin-jp[.]info
  • leboncoin-kp[.]top
  • leboncoin-ny[.]info
  • leboncoin-ql[.]top
  • leboncoin-tr[.]info

All of these domains are currently hosted on the IP 185[.]87[.]187[.]198. Checking out this IP uncovered four new “leboncoin”-related domains, but a look in to the original domains’ past resolve uncovered much more exciting findings.

The domains had been previously hosted on 185[.]62[.]190[.]71, changing IPs on May 14th 2019.


This newly discovered IP has hosted, and currently hosts, many previously-undiscovered fake “leboncoin” domains.


Our analysts also noticed that most of the domains have .info or .top TLDs, while some of the domains have both a .info and .top version.


In some cases, searching the domains that only had one TLD while using the opposite TLD found other active fake “leboncoin” domains. For example, our team created and searched the domain m-leboncoin[.]top as an opposite-TLD version of m-leboncoin[.]info which was discovered on the IP 185[.]62[.]190[.]71. The newly found domain resolves to another previously unrelated IP - 195[.]93[.]152[.]111 - which also hosts over 100 fake “leboncoin” domains.


In addition to the newly found domains, our analysts also noticed that all of the domains in this infrastructure have active www subdomains. After starting out with only 9 domains, we’ve created a list of over 230 new domains found by looking in to shared IPs, switching TLDs, and finding the www subdomains.


If you’re interested in learning more about how ThreatSTOP protects you against Riltok and other mobile banking Trojans, check us out below. Try us out for 14 days free or request a quick demo to see what we’re about.

Get a Demo       


If you’re already a ThreatSTOP user, you’re protected against JasperLoader in our TS Originated - Core Threats - IPs and TS Originated - Core Threats - Domains targets.