What We Do
How we do it
Resources
SECURITY ADVISORIES
May 11, 2022
CVE-2022-26923 - Active Directory Domain Services Elevation of Privilege Vulnerability
THE THREAT Microsoft has disclosed a new vulnerability impacting Active Directory Certificate Services (ADCS) tracked as CVE-2022-26923 (Active Directory Domain Services Elevation of Privilege Vulnerability). If exploited successfully, an authenticated attacker can escalate privileges in environments where ADCS is running on the domain. eSentire is aware of technical details and tooling [2] for…
Read More
View all Advisories →
Company
ABOUT ESENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1200+ organizations in 75+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
May 17, 2022
Cybersecurity Leader eSentire Continues Its Commitment to Rigorous Security Standards Earning PCI DSS Certification
Waterloo, ON, May 17, 2022 — eSentire, the Authority in Managed Detection and Response (MDR), maintains one of the most secure and robust IT environments of any MDR provider in the industry. To that end, eSentire today announced that it has received the Payment Card Industry Data Security Standard (PCI DSS) certification, considered one of the most stringent and comprehensive payment card…
Read More
Partners
PARTNER PROGRAM
e3 Ecosystem
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Learn more
ECOSYSTEM PARTNER RESOURCES
Apply to become an e3 ecosystem partner with eSentire, the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Search
Resources
Security advisories — Apr 06, 2022

Increase in Redline Stealer Observations

Speak With A Security Expert Now

THE THREAT

Starting in mid-March 2022, eSentire observed an increase in the deployment of Redline Stealer malware. Redline Stealer is an information stealing malware that was first identified in early 2020. The malware is available for sale on multiple darkweb marketplaces, meaning that it is in active use by a wide variety of threat actor groups. The malware is primarily focused on the theft of browser credentials from infected systems, but it does have the capability to download and execute files from the Internet.

In recent observations, Redline stealer is distributed via Drive-By-Downloads that impersonate legitimate software installers. Organizations are encouraged to review and apply the relevant recommendations provided below.

What we're doing about it

What you should do about it

Additional information

It should be noted that Redline stealer is often bundled with other malicious content. In a recent observation, the malware was delivered along with a malicious browser extension and a backdoor malware.

Redline Stealer was previously delivered via malicious documents in email. In recent campaigns, eSentire has observed Redline stealer being delivered through drive-by-downloads and malicious advertisements for legitimate software. Impersonated software observed by eSentire includes Rufus and Photoshop. External reports [2] [3] [4] claim Redline has also been delivered via trojanzied versions of Viber, WeChat, Nox, Battlefield, Windows 11 Upgrade, Telegram, and Signal.

As Redline Stealer is readily available for sale online, it is being used by a range of different threat actor groups. Notably, Redline Stealer is reported to be used by the Lapsus$ extortion group (DEV-0537) in order to steal victim passwords and session tokens that can be used to gain wide access into victim organizations [5] [6]. Quickly identifying and remediating malware such as Redline Stealer is critical in preventing more serious attacks from occurring, such as extortion or ransomware deployment.

Due to an overlap in TTPs and Indicators of Compromise (IOCs), the eSentire Threat Intelligence team assesses with high confidence that recent incidents are part of the Magnat campaign, previously reported on by Cisco.

For additional background on Redline Stealer malware, see the eSentire report “Cybercriminals Use Malicious Google Ads to Lure Computer Users to Spoofed Signal and Telegram Websites, Infecting them with Info-Stealing Malware” [7].

Indicators of Compromise

95[.]179.163.157 IP Address
49[.]12.69.202 IP Address
193[.]106.191.226 IP Address
185[.]250.148.76 IP Address
142[.]132.176.217 IP Address
santaanarealtor[.]icu Domain
68aebb2f33f1475abc863495a1bf4a43de6fa267bedad1e64a037f60e3da707d nox_setup_90096.exe
7f8719853907276c95f4b55cff405623e1805321b2c7489209054e6e329bbc24 win32.exe
9400e04c7688ea2aba757c10d545b0bfe26a9de34d20e5d5996b2c760b9c5b14 rufus_setup66893.exe
c554f7a6a906977f5ba845574791611e2ce7d30cdb282afd4c2c757375b6a216 FileSetups.exe
21f75c124ad6687826d5436e7bebfe8058d45ed85376598d87b5e61f792514d2 VBS Script
563dd781dd63543f7ee67747f044fbd77877cd46e34df7de1c96f287eeb39b14 VBS Script
6d027644a864461be84cf717e212247b3d7ab7b4c99445e28279b037a89fdaa7 VBS Script
7d0cb57ba7d2af6ff75a9c203d1338ce31199d07eeca391e9a82fedcbe068512 VBS Script
897f917ee1f7116fee402c8e7f2a12e3a9ad05a81a4ac5108bed49a63e5c024e VBS Script
c879379224bc8dc4a4f495f989711714a936892b11e7a1cf6e7b79654dc8f928 VBS Script
dc42333f20b3a524dc7d7a1c3301188d36642fb077758c2ab4d824a0439ecd00 VBS Script

References

[1] https://www.cisa.gov/uscert/bsi/articles/knowledge/principles/least-privilege
[2] https://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertising-to.html
[3] https://threatresearch.ext.hp.com/redline-stealer-disguised-as-a-windows-11-upgrade/
[4] https://blogs.blackberry.com/en/2021/07/threat-thursday-redline-infostealer
[5] https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
[6] https://krebsonsecurity.com/2022/03/a-closer-look-at-the-lapsus-data-extortion-group/
[7] https://www.esentire.com/security-advisories/cybercriminals-use-malicious-google-ads-to-lure-computer-users

View Most Recent Blogs