Kroll frequently sees threat actors, particularly ransomware gangs, leveraging valid accounts to gain a foothold in corporate networks. Many of these gangs rely on information stealing malware as a means to obtain such credentials. REDLINESTEALER is one of the most common varieties of infostealer that Kroll currently encounters. Infostealer logs are a significant factor in the initial access broker market. Threat actors sell access they have gained to corporate environments, to ransomware operators who then complete the attack chain and extort the victim.

Infostealers are most commonly deployed via phishing, malvertising and fake or misleading posts on social media. Threat actors aim to infect as many individuals as possible to collect their credentials. This presents an unseen risk to corporate environments as employees' personal machines can become infected. These might contain credentials that provide access to corporate credentials or present a threat through reuse, enabling threat actors to test them against edge services such as VPN, email platforms or application gateways. 

Characteristics of REDLINESTEALER

First seen in around 2020, REDLINESTEALER is available on underground forums as a monthly subscription service. This gives attackers access to the REDLINESTEALER panel and the ability to pack the malware and collect the logs of stolen information. Its main functionality is to steal data such as passwords, credit card information, usernames, locations, cookies and hardware configuration from infected systems. 

REDLINESTEALER collects this data from a number of sources, including:

  • Installed browsers, such as SQLite databases
  • VPN credentials
  • Crypto wallets (such as files containing *.wallet)
  • Chat messages
  • FileZilla credentials

REDLINESTEALER can gather detailed information about victims’ systems, such as IP address, city and country, operating system, administrator privileges and information about infected PC hardware and graphic cards, as well as identifying any installed antivirus software on the system.

If REDLINESTEALER is found to have been executed on a device, it is safe to consider that any credentials stored locally on that device have been compromised. REDLINESTEALER can also download files, making it likely that further payloads could be deployed to a victim device, should a threat actor require more functionality depending on their objectives, such as high bandwidth data exfiltration or ransomware.

Cybercriminals deliver REDLINESTEALER in a number of ways. They have been found posting sponsored adverts on hijacked Facebook business and community pages. These offer free downloads of AI chatbots such as ChatGPT and Google Bard but lead users to download REDLINESTEALER. In November 2023, a new version of the ScrubCrypt obfuscation tool was identified as being available for sale on dark web marketplaces and used to launch account takeover and fraud attacks with REDLINESTEALER.

In Q4 2023, Kroll investigated a surge in cases in which users downloaded a file associated with REDLINESTEALER. In these instances, the lure was a PDF converter software, on the URL “pdfconvertercompare[.]com. It is likely that users accessing the page were searching for a legitimate copy of a tool or searching  innocuous phrases such as 'printable calendars' or 'business models' and being presented with the malicious URL at the top of their search results. Once on the site, it contained a description of the alleged tool above a download button. The subsequently downloaded file was "PdfConverters.exe", which Kroll identified as REDLINE. The file had a low anti-virus detection rate at eight vendors detecting out of 69. Within Kroll cases, interaction with the file caused it to be quarantined at the point where the process "WmiPrvSE.exe" interacted with the file to either execute or delete the file.  

Kroll has previously reported on similar tactics used by other infostealers such as VIDAR, leveraging Google Ads to masquerade as a legitimate site to download popular software. 

ATT&CK Category
ATT&CK Technique

Resource Development

T1583.001 - Domains
T1583.006 - Web Services
T1583.008 - Malvertising
T1586 - Compromise Accounts
T1584.005 - Botnet
T1585.001 - Social Media Accounts

 

Initial Access

T1566 - Phishing
T1566.002 - Spearphishing Link
T1566.001 - Spearphishing Attachment
T1189 - Drive-by Compromise
T1129 - Shared Modules

Defense Evasion

T1106 - Native API
T1218.011 - Rundll32
T1112 - Modify Registry
T1036 - Masquerading
T1070.006 - Timestomp
T1070 - Indicator Removal
T1562 - Impair Defenses
T1562.001 - Disable or Modify Tools
T1222 - File and Directory Permissions Modification
T1134 - Access Token Manipulation

Execution

T1053.005 - Scheduled Task

Credential Access

T1552 - Unsecured Credentials
T1552.001 - Credentials In Files
T1555.003 - Credentials from Web Browsers
T1555 - Credentials from Password Stores
T1555.005 - Password Managers
T1056.001 - Keylogging

Discovery

T1007 - System Service Discovery
T1016.001 - Internet Connection Discovery
T1012 - Query Registry

Collection

T1039 - Data from Network Shared Drive
T1025 - Data from Removable Media
T1113 - Screen Capture

Persistence

T1543 - Create or Modify System Process
T1543.003 - Windows Service
T1547.001 - Registry Run Keys / Startup Folder

Privilege Escalation

T1209 - Access Token Manipulation
T1543 - Create or Modify System Process
T1543.003 - Windows Service

Exfiltration

Key Recommendations

To help reduce risk associated with information stealing malware:

  • Implement multi-factor authentication methods such as token, card, key, PIN or biometrics.
  • Educate employees on the latest threat actor tactics such as how to identify malicious sites which may be delivered via legitimate search engine results and to be cautious approving MFA requests which they did not initiate.
  • Use an antivirus software or Endpoint Detection and Response tools on corporate endpoints.
  • Encourage minimum security requirements for Bring Your Own Device (BYOD) utilization such as antivirus software and regular patching of the operating system and internet browser extensions.

Cyber and Data Resilience

Incident response, digital forensics, breach notification, security strategy, managed security services, discovery solutions, security transformation.

Cyber Risk Assessments

Kroll's cyber risk assessments deliver actionable recommendations to improve security, using industry best practices & the best technology available.

Application Threat Modeling Services

Kroll helps development teams design and build internal application threat modeling programs to identify and manage their most pressing vulnerabilities.


Digital Risk Protection

Proactively safeguard your organization’s digital assets and accelerate visibility of online threats.