Attackers are planting RedLine Stealer trojan using an exploit kit. The attackers are taking advantage of an Internet Explorer flaw which was fixed by Microsoft last year.
“When executed, RedLine Stealer performs recon against the target system (including username, hardware, browsers installed, anti-virus software) and then exfiltrates data (including passwords, saved credit cards, crypto wallets, VPN logins) to a remote command and control server,” Bitdefender said in a new report shared with The Hacker News.
Germany and Brazil, followed by the U.S., Egypt, Canada, China, and Poland, are the worst affected countries.
Exploit kits or exploit packs are effective tools that have a wide range of exploits designed to exploit vulnerabilities in popular software. The kits scan infected systems for flaws and deploy additional malware.
The attackers use compromised websites as the main infection route for spreading exploit kits—in this case, Rig Exploit Kit. When users visit compromised websites, the website drops an exploit kit to send the RedLine Stealer payload to execute follow-on attacks.
The flaw, labelled CVE-2021-26411 (CVSS score:8.8), is a memory corruption flaw affecting Internet Explorer that has been used by North Korean- associated threat actors. Microsoft addressed the flaw through its Patch Tuesday updates for March 2021.
“The RedLine Stealer sample delivered by RIG EK comes packed in multiple encryption layers […] to avoid detection,” the Romanian cybersecurity firm noted, with the unpacking of the malware progressing through as many as six stages.
RedLine Stealer, an information-stealing malware sold on underground forums, has features to steal passwords, cookies, and credit card data saved in browsers, crypto wallets, chat logs, VPN login credentials and text from files as per commands received from a remote server.
This is far from the only campaign that involves the distribution of RedLine Stealer. In February 2022, HP detailed a social engineering attack using fake Windows 11 upgrade installers to trick Windows 10 users into downloading and executing the malware.