A new campaign has been discovered deploying an exploit kit to distribute the RedLine Stealer malware by exploiting an Internet Explorer bug fixed by Microsoft last year (Microsoft’s patch it Tuesday; 9^th March 2021).

RedLine Stealer performs a reconnaissance against the target machine, when executed (including username, hardware, browsers installed, anti-virus software) and then exfiltrates data (including passwords, saved credit cards, crypto wallets, VPN logins) to a remote command and control server.

With time web browsers have become more secure and have implemented automatic updates for all of its components or substituted them with new standards, the usage of EKs to disseminate malware has decreased to such a point that they are now uncommon.

Nevertheless, there still are users using browsers without the most recent security patches, particularly Internet Explorer, so EKs haven’t yet ran out of targets completely.

The major infection vector used by attackers to disseminate exploit kits, the Rig Exploit Kit in this case, is via the corrupted websites that, when accessed, drops the exploit code, which eventually sends the RedLine Stealer payload to conduct follow-up attacks.

This recent campaign relying on RIG EKs exploits CVE-2021-26411, which is an Internet Explorer vulnerability that results into memory corruption while accessing a malicious website.

The Romanian cybersecurity company highlighted that the RedLine Stealer sample transmitted by RIG EK “comes packaged in several encryption layers to evade detection, with the malware unpacking continuing through as many as six phases.”

The exploit is used by the attackers to compromise the system and install RedLine, an effective information-stealing virus widely distributed on Russian-speaking forums.

The attackers then extract highly sensitive user data such as cryptocurrency keys, credit card information, and account credentials saved on web browsers.

 

Diversified Distribution

The fact that RedLine is in the hands of so many malicious attackers, each with its own methodology, explains the variation in its spread.

Redline has previously been transmitted using bogus Valorant cheats on YouTube, phoney Omicron stat counter programmes, counterfeit Windows 11 upgrades, and rogue Microsoft Excel XLL add-ins.

While these approaches demand user intervention and target a larger audience, the inclusion of the RIG Exploit Kit streamlines overall infection process while restricting the victim set to those who still use a vulnerable version of Internet Explorer.

 

Safeguarding organizations against RedLine stealer:

The staff should be advised to be cautious while saving their credentials, but this does not provide full protection and is untrustworthy. It is critical to provide additional levels of defence. Here are three effective practices for reducing a company’s risk of being exposed to RedLine malware:

1. Implementing multi factor authentication – MFA ensures that even if login credentials are stolen, hackers will not be able to surpass the verification stage, because the information required to validate an identity is typically far more difficult to get.
2. Using a dedicated password manager – Password managers are useful tools that store all of the unique passwords in an encrypted database. The management system orchestrates them with a master password, allowing access to the password vault with a single password.
3. Keep all devices and software updated – Updating all the company’s devices and software on a regular basis is an excellent way to maintain overall security because these updates frequently feature much-needed patches for security vulnerabilities.