A new variant of the information thief RedLine is distributed via email using a fake Omicron COVID-19 stat counter app as a lure.
RedLine is a very popular malware sold to cybercriminals for a few hundred dollars. It provides dark web markets with more than half of the stolen user IDs sold to other threat actors.
The malware is actively developed and continuously improved with widespread deployment using several distribution methods.
RedLine targets user account credentials stored on browser, VPN passwords, credit card details, cookies, instant messaging content, FTP credentials, crypto wallet data – currency and system information.
The most recent variant was spotted by analysts at Fortinet, who noticed several new features and improvements in addition to an already information-stealing feature.
Additional data targeting
The new variant added a few more info points to exfiltrate, such as:
- Graphics card name
- BIOS manufacturer, ID code, serial number, release date and version
- Disk drive manufacturer, model, total number of heads and signature
- Processor (CPU) information such as unique ID, processor ID, manufacturer, name, maximum clock speed, and motherboard information
This data is retrieved the first time the “Omicron Stats.exe” decoy is run, which decompresses the malware and injects it into vbc.exe.
Additional apps targeted by the new RedLine variant are the Opera GX web browser, OpenVPN, and ProtonVPN.
Previous versions of RedLine targeted regular Opera, but the GX is a “gamer-focused” special edition that is growing in popularity.
Additionally, the malware now searches Telegram folders to locate images and conversation histories and send them back to the threat actor’s servers.
Finally, local Discord resources are inspected more vigorously for discovering and stealing access tokens, logs, and database files.
By analyzing the new campaign, the researchers found an IP address in Britain communicating with the command and control server through the Telegram messaging service.
The victims are spread across 12 countries and the attack does not focus on specific organizations or individuals.
“This variant uses 207[.]32.217.89 as C2 server via port 14588. This IP belongs to 1gservers ”, explains the Fortinet report
“In the few weeks since the release of this variant, we noticed an IP address (149[.]154.167.91) in particular by communicating with this C2 server. “
As this is a new version of RedLine, we’ll likely see other threat actors embrace its use soon.
- Safeguard Your Online Privacy with Swiss ProtonVPN [Hands-On Testing and Review]
- Have I Been Pwned adds 441K accounts stolen by RedLine malware
- ExpressVPN review | TechToSee
- Malicious Excel XLL add-ins pushes RedLine password stealing malware
- RedLine malware shows why passwords should not be saved in browsers