New data revealed that threat actors are reutilising the RedLine malware in their cyberattacks against networks from over 150 countries in April this year. In January, researchers first identified a campaign that exploits the CVE-2021-26411 security flaw of the web browser Internet Explorer to spread the malware.
RedLine stealer is a password-stealing malware available on underground marketplaces for an affordable price. Once used, it allows the threat actors to access a device’s system data to identify usernames, browsers, AV software, and hardware. Afterwards, the attackers will collect passwords, financial data, crypto funds, and VPN logins sent to a remote C2 server.
The Internet Explorer flaw-exploiting malware also collects login credentials from the victims’ web browsers, email and messaging applications, FTP clients, and VPNs to sell them on the dark web forums.
According to recent reports, threat actors had been active in spreading RedLine malware attacks, with over 10,000 recorded attacks in April alone. They also added that the numbers they found were only a fraction of a whole since those were only the reports that security solutions had blocked.
Based on a heat map provided, several firms from Brazil, the US, China, Germany, Canada, and Egypt were targeted by the campaign, committing hundreds of attacks. The diversity of the attack vectors was also wide, allowing the operators to have multiple profit streams.
The collected stolen data has been sold on underground marketplaces since March 2020. Hackers worldwide have been interested in utilising RedLine since pirated versions are available for sale on the dark web forums for a much lesser price.
Previous reports about the info-stealer malware being spread via fake Windows 11 installers were also published. In North Korea, several threat operators also utilised the Internet Explorer security flaw to breach a popular news website to perform a watering hole attack and infect the site visitors with malware.
The infostealer operators used a public proof-of-concept code available online, with a detailed review of how they utilise RedLine in the campaigns exploiting the Internet Explorer vulnerability.
