The data-stealing malware RedLine targets major web browsers like Chrome, Edge, and Opera, highlighting why saving passwords in browsers is a terrible idea. This malware is a generic information stealer acquired on cyber-crime forums for around $200 and installed without much expertise or effort.
However, according to a new analysis from AhnLab ASEC, the convenience of employing the auto-login option on web browsers is becoming a significant security issue that affects both enterprises and people. Analysts reveal that a remote employee gave RedLine Stealer actors his VPN account details, which they exploited three months later to penetrate the company’s network.
Even though an anti-malware solution was installed on the infected device, it failed to identify and eradicate RedLine Stealer. The malware is designed to attack the ‘Login Data’ file, which is an SQLite database that stores usernames and passwords and is found on all Chromium-based web browsers.
Even if users decline to keep their credentials in the browser, the password management system will add a record to the password management system to indicate that the website is “blacklisted.” While the threat actor may not know the credentials for this “blacklisted” account, the fact that it exists informs them, allowing them to undertake credential stuffing or social engineering/phishing attacks.
Threat actors could exploit the obtained credentials in subsequent attacks or seek to monetize them by selling them on dark web markets. The emergence of the ‘2easy’ dark web marketplace, where 50% of all data sold was taken via this software, indicates how popular RedLine has become among hackers.
A website contact form spamming campaign that exploits Excel XLL files to download and install the password-stealing malware is another recent incidence of RedLine propagation. RedLine appears to be all over the place right now. The fundamental reason for this is its success in exploiting a widely available security flaw that newer web browsers refuse to patch.