What We Do
How we do it
Resources
Company
ABOUT ESENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1500+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
Sep 20, 2022
eSentire Recognized as Top Global MDR Provider by MSSP Alert, CrowdStrike and G2
Waterloo, ON - September 21, 2022 – eSentire, Inc., the Authority in Managed Detection and Response (MDR), celebrated multiple industry recognitions as the leading global MDR provider, over the last week: Named #9, and the top pure play MDR provider on MSSP Alert’s Top 250 MSSPs global rankingRecognized as the CrowdStrike 2022 Global MSSP Partner of the Year Earned G2’s industry-renowned status…
Read More
Partners
PARTNER PROGRAM
e3 Ecosystem
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Learn more
ECOSYSTEM PARTNER RESOURCES
Apply to become an e3 ecosystem partner with eSentire, the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Search
Resources
Security advisories — Apr 06, 2022

Increase in Redline Stealer Observations

2 minutes read
Speak With A Security Expert Now

THE THREAT

Starting in mid-March 2022, eSentire observed an increase in the deployment of Redline Stealer malware. Redline Stealer is an information stealing malware that was first identified in early 2020. The malware is available for sale on multiple darkweb marketplaces, meaning that it is in active use by a wide variety of threat actor groups. The malware is primarily focused on the theft of browser credentials from infected systems, but it does have the capability to download and execute files from the Internet.

In recent observations, Redline stealer is distributed via Drive-By-Downloads that impersonate legitimate software installers. Organizations are encouraged to review and apply the relevant recommendations provided below.

What we're doing about it

What you should do about it

Additional information

It should be noted that Redline stealer is often bundled with other malicious content. In a recent observation, the malware was delivered along with a malicious browser extension and a backdoor malware.

Redline Stealer was previously delivered via malicious documents in email. In recent campaigns, eSentire has observed Redline stealer being delivered through drive-by-downloads and malicious advertisements for legitimate software. Impersonated software observed by eSentire includes Rufus and Photoshop. External reports [2] [3] [4] claim Redline has also been delivered via trojanzied versions of Viber, WeChat, Nox, Battlefield, Windows 11 Upgrade, Telegram, and Signal.

As Redline Stealer is readily available for sale online, it is being used by a range of different threat actor groups. Notably, Redline Stealer is reported to be used by the Lapsus$ extortion group (DEV-0537) in order to steal victim passwords and session tokens that can be used to gain wide access into victim organizations [5] [6]. Quickly identifying and remediating malware such as Redline Stealer is critical in preventing more serious attacks from occurring, such as extortion or ransomware deployment.

Due to an overlap in TTPs and Indicators of Compromise (IOCs), the eSentire Threat Intelligence team assesses with high confidence that recent incidents are part of the Magnat campaign, previously reported on by Cisco.

For additional background on Redline Stealer malware, see the eSentire report “Cybercriminals Use Malicious Google Ads to Lure Computer Users to Spoofed Signal and Telegram Websites, Infecting them with Info-Stealing Malware” [7].

Indicators of Compromise

95[.]179.163.157 IP Address
49[.]12.69.202 IP Address
193[.]106.191.226 IP Address
185[.]250.148.76 IP Address
142[.]132.176.217 IP Address
santaanarealtor[.]icu Domain
68aebb2f33f1475abc863495a1bf4a43de6fa267bedad1e64a037f60e3da707d nox_setup_90096.exe
7f8719853907276c95f4b55cff405623e1805321b2c7489209054e6e329bbc24 win32.exe
9400e04c7688ea2aba757c10d545b0bfe26a9de34d20e5d5996b2c760b9c5b14 rufus_setup66893.exe
c554f7a6a906977f5ba845574791611e2ce7d30cdb282afd4c2c757375b6a216 FileSetups.exe
21f75c124ad6687826d5436e7bebfe8058d45ed85376598d87b5e61f792514d2 VBS Script
563dd781dd63543f7ee67747f044fbd77877cd46e34df7de1c96f287eeb39b14 VBS Script
6d027644a864461be84cf717e212247b3d7ab7b4c99445e28279b037a89fdaa7 VBS Script
7d0cb57ba7d2af6ff75a9c203d1338ce31199d07eeca391e9a82fedcbe068512 VBS Script
897f917ee1f7116fee402c8e7f2a12e3a9ad05a81a4ac5108bed49a63e5c024e VBS Script
c879379224bc8dc4a4f495f989711714a936892b11e7a1cf6e7b79654dc8f928 VBS Script
dc42333f20b3a524dc7d7a1c3301188d36642fb077758c2ab4d824a0439ecd00 VBS Script

References

[1] https://www.cisa.gov/uscert/bsi/articles/knowledge/principles/least-privilege
[2] https://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertising-to.html
[3] https://threatresearch.ext.hp.com/redline-stealer-disguised-as-a-windows-11-upgrade/
[4] https://blogs.blackberry.com/en/2021/07/threat-thursday-redline-infostealer
[5] https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
[6] https://krebsonsecurity.com/2022/03/a-closer-look-at-the-lapsus-data-extortion-group/
[7] https://www.esentire.com/security-advisories/cybercriminals-use-malicious-google-ads-to-lure-computer-users

Join 100,000+ Security Leaders

Get notified when there's a new security advisory, and receive the latest news, intel and helpful tools & assets. You can unsubscribe anytime.

By clicking the button below I confirm that I have read and agree to the eSentire privacy policy.

View Most Recent Blogs