Researchers have discovered a new variant of RedLine malware that distributes a massive number of phishing emails via fake COVID-19 Omicron statistics counter application. Additionally, experts stated that the RedLine is a commodity malware available on the dark web for all threat actors at a low price.
Researchers first discovered the newest variant in the extensive list of RedLine strain in the form of an Omicron app file called the ‘OmicronStats[.]exe’ file. This new variant exfiltrates credentials stored in several VPN services such as ProtonVPN, OpenVPN, and Opera GX. It also hunts Telegram folders to seek conversation histories and images to steal them and send them back to the operator’s servers.
Also, the variant carefully assesses local Discord resources to locate and gather database files, access tokens, and logs.
Unfortunately, the new variant has already scattered globally. Recent reports said that the victims of the threat campaign are distributed across approximately 12 countries, including five major cities in the world.
The new RedLine malware variant’s developers added several capabilities to their strain to improve their attack campaign further.
Experts said that the operators of RedLine malware had upgraded the new variant with multiple improvements along with the already existing information-stealing capability. Hence, the new variant now exfiltrates a wide array of data, such as card names, identification codes, serial numbers, release dates, video card names, OS versions, disk drive manufacturer information, and BIOS manufacturers.
Researchers also discovered an IP address in the UK with the command-and-control server via Telegram.
The new RedLine malware variant utilises 207[.]32[.]217[.]89 as a command-and-control server at port 14588, which is under the 1gservers in Great Britain.
After a few weeks of being released and the discovery of IP address, another one popped up, and it was tracked by researchers as 149[.]154[.]167[.]91) communicated with the same command-and-control server.
The operators of the new variant are insensitively exploiting the current COVID-19 pandemic. The more concerning part of this campaign is that this variant can steal a massive amount of information than its predecessors. The higher-ups advise security teams to deploy more reliable and extensive AV solutions, use network firewalls, and encrypt essential data since threat actors are having a field day during this pandemic.
