Royal Ripper: Multi-Stage Phishing Attack Adapts to Victim Input

PhishLabs is monitoring a multi-stage phishing campaign that impersonates government entities and telecoms to target financial institutions and their customers. The threat actor behind the attacks has been designated Royal Ripper. The initial stage of the attack harvests personal information and the sort code of the victim’s bank. It then uses the sort code to redirect the victim to a second phishing site that poses as their bank. This progression allows the threat actor to use a non-banking lure to draw in victims and ultimately steal their online banking credentials. 
How it works
Royal Ripper’s attack begins with a lure that impersonates either a government agency, telecommunications company, or online payments service via text. In the example below, the initial SMS lure poses as a tax return notice from HM Revenue and Customs.
The message claims the victim is due funds and must follow the link https://uk.{redacted}.com// to apply for reimbursement.
Ripper Tax Refund copy-1
The link leads to a phishing page prompting the victim to enter their full name and UK postcode to sign in.
Details copy
The second page of the phishing site asks for personal credit card details and, in a novel move, the sort code (or routing number) of the victim’s bank. This data is used to identify the corresponding financial institution and send the victim to a secondary phishing page impersonating their bank. 
Once the victim has accessed the page, they are prompted to enter their banking ID and password. 
bank copy
An open directory listing is on the /banks/ directory of each phishing URL. 
Sort codes for each financial institution are in the .txt files located in the /codes/ directory. 
logs copy
Stolen credentials are stored in the /assets/logs/directory. The banks .txt file is used to store credentials harvested by the banking phish, while fullz.txt stores personal information gathered from the earlier stages of the attack. Additionally, the phish kit logs the IP addresses of visitors and any attempted visits that are blocked.
Most phishing sites that steal banking credentials impersonate the target bank in the lure and phishing site. The multi-stage progression adapts to victim input, allowing Royal Ripper to deploy a less suspicious, non-banking lure to harvest credentials for dozens of banks in a single campaign. This campaign is ongoing and PhishLabs is tracking its progress as it evolves.
Additional Resources:

Article Link: