New RedLine Variant Uses Omicron Lure to Trap Victims

You are currently viewing New RedLine Variant Uses Omicron Lure to Trap Victims

A new form of the RedLine malware has been uncovered that spreads through emails and uses a bogus Omicron stat counter software to do it. RedLine is a low-cost malware that can be purchased for a few hundred dollars.

RedLine malware out on a hunting

The latest variant of RedLine was spotted by Fortinet researchers in the form of Omicron Stats[.]exe file.

  • The malware harvests credentials saved on VPN services including OpenVPN, ProtonVPN, and Opera GX.
  • The malware searches Telegram folders to find images and conversation histories and sends them to the attacker’s servers.
  • Moreover, it thoroughly inspects local Discord resources to find and steal logs, database files, and access tokens.
  • The victims of the attack campaign are reportedly distributed across 12 countries.

RedLine Stealer was initially reported in March of 2020, and it immediately became one of the most popular infostealers available on underground digital markets. RedLine Stealer sells the information it collects on the dark web for as little as ten bucks each set of user credentials. The malware appeared just as the globe began to deal with an increase in COVID patients, as well as the growing dread and uncertainty that might induce individuals to relax their guard, which may have led its creators to use COVID as a bait.

 

Open source intelligence, or OSINT, is intelligence “derived from publicly available material,” according to the CIA, though it can also contain sources exclusively available to specialists or subscribers.

The current Redline Stealer contains the following functions based on worldwide OSINT information collected and analysed by FortiGuard Labs.

Typically, these are victims whose systems have been infected with any of the above-mentioned stealers, as a result of which the victims’ account passwords and full browser details have been collected and given to marketplace operators without their knowledge. In such circumstances, each user profile typically contains login information for online payment portals, e-banking services, file-sharing, and social networking sites. As a result, it tries to collect the following information from the compromised machine’s browsers, including all Chromium-based browsers and all Gecko-based browsers (i.e. Mozilla):

System data that has been saved:

Passwords and logins

Cookies

Forms that auto-fill

Details about your browser’s user agent

Information about your credit card

History of your browser

FTP clients have been installed.

Clients for instant messaging (IM) have been installed.

It also performs highly adjustable data collecting depending on file path and file extension, as well as subfolder searches.

It creates a list of countries that Redline Stealer will not work in.

It also records the IP address of the machine. And the following:

 

    1.  IP
    2. IP
    3. Country
    4. City
    5. Current user name
    6. Hardware ID
    7. Keyboard layouts
    8. Screenshot
    9. Screen resolution
    10. Operating system
    11. UAC settings
    12. User-Agent
    13. Information about PC components such as video cards and processors
    14. Installed antivirus solution
    15. Data/Files from common folders such as desktop/downloads, etc.

The malware also looks for and attempts to steal the following saved browser data:

  • Cookies Extension Cookies Login Data Web Data Browser User Agent Details
  • Credit Card information is automatically filled in.

Increased capabilities

Along with the already existing information-stealing ability, the variation has been updated with a number of enhancements. The latest variant now steals a wide variety of information, including the name of the graphics card, the manufacturer of the BIOS, the identification code, the serial number, the release date, the version, and the manufacturer of the disc drive.

Supplementary information

An IP address from the United Kingdom was detected using Telegram to communicate with the C2 server.

1gservers owns the new variant, which uses 207[.]32[.]217[.]89 as a C2 server on port 14588.

After a few weeks of being released, another IP address (149[.]154[.]167[.]91) communicated with this C2 server.

Conclusion

The current COVID-19 situation is being exploited by RedLine operators in an insensitive manner. This variation is more capable than earlier variants and steals more information. To keep safe, security teams should deploy a trustworthy anti-malware solution, encrypt vital data, and employ a network firewall, to name a few things.

 

Leave a Reply