Microsoft Edge, Opera, Naver Whale, and Google Chrome have all been targeted by RedLine, a data stealing spyware. The passwords saved in these web browsers are targeted by the commodity stealer. This malware is a generic information stealer that can be purchased on cybercrime forums for around $200 and installed without much knowledge or effort.
What Is The News?
However, according to a new analysis from AhnLab ASEC, the convenience of using the auto-login feature on web browsers is becoming a significant security issue that affects both enterprises and individuals.
According to the experts, a distant employee gave RedLine Stealer actors his VPN account details, which they utilised three months later to penetrate the company’s network.
Despite having an anti-malware solution installed, RedLine Stealer was not detected and removed.
The malware is designed to attack the ‘Login Data’ file, which is a SQLite database that stores usernames and passwords and is found on all Chromium-based web browsers.
While browser password stores, such as those used by Chromiumbased browsers, are encrypted, informationstealing malware can decode the store programmatically if they are logged in as the same user.
RedLine will be able to retrieve credentials from the infected user’s browser profile because it operates as that user.
“Google Chrome uses the built-in Windows CryptProtectData method to encrypt the password.
While employing the tripleDES algorithm and using userspecific keys to encrypt the data can make it very safe, it can still be decrypted if you are logged into the same account as the user who encrypted it “explains the project’chrome password grabber’ creator.
“The CryptProtectData function has an identical twin, CryptUnprotectData, which, as the name implies, decrypts the data. And, of course, this will come in handy when attempting to decrypt the passwords that have been stored.”
Even if users refuse to keep their credentials in the browser, the password management system will add an item to the password management system indicating that the website has been “blacklisted.”
While the threat actor may not have the passwords for this “blacklisted” account, it does inform them that it exists, permitting credential stuffing or social engineering/phishing attempts.
What was discovered?
According to a research published by AhnLab ASEC, the auto-login option included in many popular online browsers should be avoided.
The RedLine stealer is a commodity spyware that can be obtained on cybercrime sites for as little as $200.
Hackers are targeting login data files saved on Chromium-based web browsers and SQLite databases that store usernames and passwords with the malware.
Experts warn that it poses a severe security risk to both businesses and individual users.
Similar Threats from This Malware
RedLine virus, in addition to stealing passwords, poses a number of other security risks.
Even if a user refuses to save credentials in the browser, the infected machine’s password management system creates a record to show that the specific website is blacklisted.
If the attacker is unable to obtain the credentials for this banned account, they will be aware that it exists, allowing them to conduct assaults such as credential stuffing, social engineering, and phishing.
The attackers either use the credentials for future assaults or sell them on dark web marketplaces after stealing them.
Different use of the Stealer
- An Excel XLL file was used in a recent spam campaign to download and install the RedLine malware.
- Furthermore, researchers observed that 2easy dark web marketplace is becoming an important dark web marketplace, with half of the sold data stolen through RedLine stealer.
Conclusion
The use of the auto-login feature to keep login information in web browsers is dangerous, according to a recent RedLine research. As a result, users are advised to utilise a third-party or specialized password manager that stores login information in an encrypted vault and requires a password to access.
