What We Do
How We Do
Resources
Company
Partners
Get Started
Security advisories

Increase in Redline Stealer Observations

April 6, 2022 | 2 MINS READ

Speak With A Security Expert Now

TALK TO AN EXPERT

THE THREAT

Starting in mid-March 2022, eSentire observed an increase in the deployment of Redline Stealer malware. Redline Stealer is an information stealing malware that was first identified in early 2020. The malware is available for sale on multiple darkweb marketplaces, meaning that it is in active use by a wide variety of threat actor groups. The malware is primarily focused on the theft of browser credentials from infected systems, but it does have the capability to download and execute files from the Internet.

In recent observations, Redline stealer is distributed via Drive-By-Downloads that impersonate legitimate software installers. Organizations are encouraged to review and apply the relevant recommendations provided below.

What we're doing about it

What you should do about it

Additional information

It should be noted that Redline stealer is often bundled with other malicious content. In a recent observation, the malware was delivered along with a malicious browser extension and a backdoor malware.

Redline Stealer was previously delivered via malicious documents in email. In recent campaigns, eSentire has observed Redline stealer being delivered through drive-by-downloads and malicious advertisements for legitimate software. Impersonated software observed by eSentire includes Rufus and Photoshop. External reports [2] [3] [4] claim Redline has also been delivered via trojanzied versions of Viber, WeChat, Nox, Battlefield, Windows 11 Upgrade, Telegram, and Signal.

As Redline Stealer is readily available for sale online, it is being used by a range of different threat actor groups. Notably, Redline Stealer is reported to be used by the Lapsus$ extortion group (DEV-0537) in order to steal victim passwords and session tokens that can be used to gain wide access into victim organizations [5] [6]. Quickly identifying and remediating malware such as Redline Stealer is critical in preventing more serious attacks from occurring, such as extortion or ransomware deployment.

Due to an overlap in TTPs and Indicators of Compromise (IOCs), the eSentire Threat Intelligence team assesses with high confidence that recent incidents are part of the Magnat campaign, previously reported on by Cisco.

For additional background on Redline Stealer malware, see the eSentire report “Cybercriminals Use Malicious Google Ads to Lure Computer Users to Spoofed Signal and Telegram Websites, Infecting them with Info-Stealing Malware” [7].

Indicators of Compromise

95[.]179.163.157 IP Address
49[.]12.69.202 IP Address
193[.]106.191.226 IP Address
185[.]250.148.76 IP Address
142[.]132.176.217 IP Address
santaanarealtor[.]icu Domain
68aebb2f33f1475abc863495a1bf4a43de6fa267bedad1e64a037f60e3da707d nox_setup_90096.exe
7f8719853907276c95f4b55cff405623e1805321b2c7489209054e6e329bbc24 win32.exe
9400e04c7688ea2aba757c10d545b0bfe26a9de34d20e5d5996b2c760b9c5b14 rufus_setup66893.exe
c554f7a6a906977f5ba845574791611e2ce7d30cdb282afd4c2c757375b6a216 FileSetups.exe
21f75c124ad6687826d5436e7bebfe8058d45ed85376598d87b5e61f792514d2 VBS Script
563dd781dd63543f7ee67747f044fbd77877cd46e34df7de1c96f287eeb39b14 VBS Script
6d027644a864461be84cf717e212247b3d7ab7b4c99445e28279b037a89fdaa7 VBS Script
7d0cb57ba7d2af6ff75a9c203d1338ce31199d07eeca391e9a82fedcbe068512 VBS Script
897f917ee1f7116fee402c8e7f2a12e3a9ad05a81a4ac5108bed49a63e5c024e VBS Script
c879379224bc8dc4a4f495f989711714a936892b11e7a1cf6e7b79654dc8f928 VBS Script
dc42333f20b3a524dc7d7a1c3301188d36642fb077758c2ab4d824a0439ecd00 VBS Script

References

[1] https://www.cisa.gov/uscert/bsi/articles/knowledge/principles/least-privilege
[2] https://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertising-to.html
[3] https://threatresearch.ext.hp.com/redline-stealer-disguised-as-a-windows-11-upgrade/
[4] https://blogs.blackberry.com/en/2021/07/threat-thursday-redline-infostealer
[5] https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
[6] https://krebsonsecurity.com/2022/03/a-closer-look-at-the-lapsus-data-extortion-group/
[7] https://www.esentire.com/security-advisories/cybercriminals-use-malicious-google-ads-to-lure-computer-users

View Most Recent Advisories