Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

RedLine info-stealer campaign targets Russian businesses through pirated corporate software

An ongoing RedLine information-stealing campaign is targeting Russian businesses using pirated corporate software. Since January 2024, Russian businesses using unlicensed software have been targeted by an ongoing RedLine info-stealer campaign. Pirated software is distributed via Russian online forums, attackers disguise the malware as a tool to bypass licensing for business automation software. Threat actors target […]

pirated software Redliner malware

An ongoing RedLine information-stealing campaign is targeting Russian businesses using pirated corporate software.

Since January 2024, Russian businesses using unlicensed software have been targeted by an ongoing RedLine info-stealer campaign. Pirated software is distributed via Russian online forums, attackers disguise the malware as a tool to bypass licensing for business automation software.

Threat actors target business process automation users by distributing a malicious version of the HPDxLIB activator. Unlike the legitimate C++ version with a valid certificate, the malicious version is built in .NET and uses a self-signed certificate.

“Users of unlicensed copies of corporate software for automating business processes faced an attack in which attackers distributed malicious activators on accounting forums.” reads the report published by Kaspersky. “The detected samples were versions of the well-known HPDxLIB activator, which contained the RedLine stealer, hidden in a very unusual way: the activator library was obfuscated using .NET Reactor, and the malicious code was compressed and encrypted in several layers. “

Threat actors publish links to malicious activators on specialized forums about business ownership and accounting. The researchers also observed that the operators provided detailed instructions on disabling security software to run the activator, effectively evading detection.

pirated software Redliner malware

Attackers trick users into replacing the legitimate techsys.dll library with a malicious one included in the activator. Then upon executing the patched software, it loads the malicious library via the legitimate 1cv8.exe process, which runs the stealer. This method exploits user trust rather than vulnerabilities in the corporate software.

The RedLine stealer is an info-stealing malware written in .NET that has been active since at least early 2020. The malware can steal sensitive information from the infected systems, including credentials, cookies, browser history, credit card data, and crypto-wallets. The info-stealer is considered a commodity malware that is available through malware-as-a-service model.

“The attackers behind this campaign are clearly interested in gaining access to Russian-speaking entrepreneurs who use software to automate business processes. It cannot be said that attacks through dubious solutions that supposedly allow bypassing license checks are something exceptional. But the fact that they are targeting businesses rather than private users seems rather unusual. Another unusual detail is how sophisticatedly the attackers disguised the stealer implant.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Redline)