A new campaign has been discovered employing an exploit kit to distribute the RedLine Stealer malware by exploiting an Internet Explorer hole patched by Microsoft last year.
"When executed, RedLine Stealer recons the target system (including username, hardware, installed browsers, anti-virus software) and then exfiltrates data (including passwords, saved credit cards, crypto wallets, VPN logins) to a remote command and control server," Bitdefender explained in a new report shared with The Hacker News.
Brazil and Germany have the most infections, followed by the United States, Egypt, Canada, China, and Poland, among others.
Exploit kits, also known as attack packs, are comprehensive tools that include a collection of exploits meant to exploit holes in widely used software by scanning affected systems for various types of defects and spreading more malware.
The major infection vector used by attackers to disseminate exploit kits, in this case, the Rig Exploit Kit, is through compromised websites that, when accessed, drop the exploit code, which eventually sends the RedLine Stealer payload to carry out follow-on attacks.
Image Courtesy: TheHackerNews
CVE-2021-26411 (CVSS score: 8.8) is a memory corruption vulnerability affecting Internet Explorer that has previously been weaponized by North Korean-linked threat actors. Microsoft addressed the problem as part of Windows Patch Tuesday releases for March 2021.
"The RedLine Stealer sample sent by RIG EK comes packed in several encryption layers [...] to avoid detection," the Romanian cybersecurity firm explained, noting that the malware's unpacking can take up to six stages.
RedLine Stealer, an information-stealing malware sold on underground forums, includes features that allow it to exfiltrate passwords, cookies, and credit card data saved in browsers, as well as crypto wallets, and chat logs, VPN login credentials, and text from files in response to remote server commands.
This is far from the only campaign in which RedLine Stealer is distributed. HP reported a social engineering attack in February 2022 that used bogus Windows 11 upgrade packages to mislead Windows 10 customers from downloading and running malware.
Please do not enter any spam link in the comment box.