A new RedLine info-stealer variant is being delivered through email with the help of a phony COVID-19 Omicron stat counter application. RedLine is a widely used commodity malware that can be purchased for a few hundred dollars from cybercriminals. It provides over 50% of the stolen user credentials sold to other threat actors on dark web markets.
The malware is regularly created and modified, and it is widely distributed through a variety of distribution techniques. RedLine targets browser-stored user account credentials, VPN passwords, cookies, FTP credentials, credit card information, cryptocurrency wallet data, instant messaging content, and system information.
Analysts at Fortinet discovered the current variant, which included various new capabilities and upgrades to an already data-stealing functionality. More information points to exfiltrate have been introduced in the recent variant, such as:
- Graphics card name
- BIOS manufacturer, serial number, release date, identification code, and version
- Disk drive manufacturer, total heads, model, and signature
- Processor (CPU) information like unique ID, manufacturer, name, processor ID, motherboard information, and max clock speed
This information is obtained when the “Omicron Stats.exe” bait is run for the first time, which unpacks the malware and injects it into vbc.exe. The Opera GX web browser, OpenVPN, and ProtonVPN are among the extra programs targeted by the latest RedLine variant.
Older versions of RedLine targeted regular Opera, but the GX is an exceptional “gamer-focused” variant rising in popularity. Furthermore, the malware now scans Telegram files for photographs and chat history, which it then sends back to the threat actor’s servers. Finally, local Discord resources are combed more thoroughly for access tokens, logs, and database files to find and steal them.
Researchers discovered an IP address in the United Kingdom talking with the command-and-control server via the Telegram messaging application while investigating the new campaign. The victims are from 12 different nations, and the assault isn’t targeting any specific groups or people.
“This variant uses 207[.]32.217.89 as its C2 server through port 14588. This IP is owned by 1gservers,” according to the Fortinet report. “Over the course of the few weeks after this variant was released, we noticed one IP address (149[.]154.167.91) in particular communicating with this C2 server.”