U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

New RedLine malware version distributed as fake Omicron stat counter

Experts warn of a new variant of the RedLine malware that is distributed via emails as fake COVID-19 Omicron stat counter app as a lure. Fortinet researchers have spotted a new version of the RedLine info-stealer that is spreading via emails using a fake COVID-19 Omicron stat counter app as a lure. The RedLine malware […]

RedLine

Experts warn of a new variant of the RedLine malware that is distributed via emails as fake COVID-19 Omicron stat counter app as a lure.

Fortinet researchers have spotted a new version of the RedLine info-stealer that is spreading via emails using a fake COVID-19 Omicron stat counter app as a lure.

The RedLine malware allows operators to steal several information, including credentials, credit card data, cookies, autocomplete information stored in browsers, cryptocurrency wallets, credentials stored in VPN clients and FTP clients. The malicious code can also act as a first-stage malware.

Stolen data are stored in an archive (logs) before being uploaded to a server under the control of the attackers.

The new variant discovered by Fortinet has the file name “Omicron Stats.exe,” threat actors are attempting to exploit the enormous interest on a global scale on the COVID-19 Omicron variant.

According to FortiGuard Labs, potential victims of this RedLine Stealer variant are located in at least 12 countries, a circumstance that suggests attackers did not target specific organizations or individuals.

Like other COVID-19 themed malspam campaigns, the infection chain starts by opening a weaponized document used as an attachment.

Upon executing the Omicron Stats.exe, it unpacks resources encrypted with triple DES using ciphermode ECB and padding mode PKCS7. Then the unpacked resources are injected into vbc.exe and a scheduled task is created to establish persistence.

The new variant implements several new features, it is able to steal more information from the victim’s Windows Management Instrumentation (WMI) such as:

  • Graphics card name
  • BIOS manufacturer, identification code, serial number, release date and version
  • Disk drive manufacturer, model, total heads and signature
  • Processor (CPU) information like unique ID, processor ID, manufacturer, name, max clock speed and motherboard information

The new RedLine variant searches for the following strings to locate relevant folders for data exfiltration:

  • wallet.dat (information related to cryptocurrency)
  • wallet (information related to cryptocurrency)
  • Login Data
  • Web Data
  • Cookies
  • Opera GX Stable
  • Opera GX

The malware also looks for Telegram folders to locate images and conversation histories to steal, it also focuses on Tokens.txt which is used for Discord access.

This variant uses 207[.]32.217.89 as its C2 server through port 14588.

“This IP is owned by 1gservers. Over the course of the few weeks after this variant was released, we noticed one IP address in particular communicating with this C2 server.” states the report published by Fortinet. “Some telemetry data is shown below.

IP AddressStart TimeEnd Time
149.154.167.912021-11-26 04:34:542021-11-26 10:05:15
149.154.167.912021-12-05 12:06:032021-12-05 13:19:35
149.154.167.912021-12-09 16:18:462021-12-09 20:00:13
149.154.167.912021-12-22 18:38:182021-12-23 11:33:58

This 149[.]154.167.91 IP address is located in Great Britain and is part of the Telegram Messenger Network. It seems that the C2 server may be controlled by the Redline operators through an abused Telegram messaging service. This conclusion is not a huge leap as the malware author(s) offer both dedicated purchasing and support lines through their respective Telegram groups.”

Experts speculate RedLine Stealer will continue to take advantage of the ongoing COVID pandemic and the stolen information will continue to fuel underground cybercrime marketplaces. 

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, RedLine malware)

[adrotate banner=”5″]

[adrotate banner=”13″]