{"id":17994,"date":"2022-02-02T10:19:03","date_gmt":"2022-02-02T18:19:03","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/02\/02\/news-11727\/"},"modified":"2022-02-02T10:19:03","modified_gmt":"2022-02-02T18:19:03","slug":"news-11727","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2022\/02\/02\/news-11727\/","title":{"rendered":"COVID Omicron Variant Lure Used to Distribute RedLine Stealer"},"content":{"rendered":"
\n
\n
<\/div>\n<\/p><\/div>\n
\n

FortiGuard Labs<\/a>\u00a0Threat Research Report<\/h2>\n

Affected Platforms:<\/b> Windows
Impacted Users:<\/b> Windows users
Impact: <\/b>Various data including confidential information on the compromised machine will be stolen
Severity Level: <\/b>Medium<\/p>\n

Just like the previous year, 2021 ended with COVID and 2022 started with the same. The only difference is that the world is now dealing with the new Omicron variant rather than the Delta variant, which emerged in April 2021. While reportedly less lethal than its predecessor, the Omicron variant has a much higher transmission rate, and as a result, daily counts of new Omicron patients have become a global concern. This has renewed heightened concern about the pandemic, and as we have all sadly learned, threat actors don\u2019t shy away from using misery and fear to their advantage.<\/p>\n

FortiGuard Labs<\/a> recently came across a curiously named file, \u201cOmicron Stats.exe\u201d, which turned out to be a variant of Redline Stealer malware. This blog will look at the Redline Stealer malware, including what\u2019s new in this variant, its core functions, how it communicates with its C2 server, and how organizations can protect themselves. <\/p>\n

RedLine Stealer<\/h3>\n

Before talking specifics on this new RedLine Stealer variant, let\u2019s review what we know about RedLine Stealer in general.<\/p>\n

The first reports of RedLine Stealer go back to at least March of 2020 and it quickly became one of the more popular infostealers sold in underground digital markets. The Information harvested by RedLine Stealer is sold on the dark net marketplace<\/a> for as low as 10 US dollars per set of user credentials. The malware emerged just as the world began to deal with increased numbers of COVID patients and the growing fear and uncertainty that can cause people to lower their guard, which may have prompted its developers to use COVID as its lure.<\/p>\n

According to the CIA, open source intelligence, or OSINT, is intelligence \u201cdrawn from publicly available material,\u201d although it can include sources only available to specialists or subscribers. Based on the global OSINT information collected and analyzed by FortiGuard Labs, the current Redline Stealer includes the following functionalities. <\/p>\n

Normally, these are the victims whose systems have been infected with any of the above-mentioned stealers, due to which victim have unknowingly had their account passwords and full browser details recorded, and then sent to marketplace operators. Generally, in such cases, each user profile includes login credentials for accounts on online payment portals, e-banking services, file-sharing or social networking platforms. As such, it attempts to collect the following information from browsers installed on the compromised machine, including all Chromium-based browsers and all browsers based on Gecko (i.e. Mozilla):<\/p>\n

    \n
  1. Stored system information:\n
      \n
    1. Login and passwords<\/li>\n
    2. Cookies<\/li>\n
    3. Auto-Fill Forms<\/li>\n
    4. Browser User Agent Details<\/li>\n
    5. Credit Card information<\/li>\n
    6. Browser history<\/li>\n<\/ol>\n<\/li>\n
    7. Installed FTP clients<\/li>\n
    8. Installed IM clients<\/li>\n
    9. It also engages in highly configurable information collection based on file path and file extension, including searching in subfolders.<\/li>\n
    10. It sets up a blacklist of countries where Redline Stealer will not function<\/li>\n
    11. It also collects the following machine information\n
        \n
      1. \u00a0IP<\/li>\n
      2. Country<\/li>\n
      3. City<\/li>\n
      4. Current user name<\/li>\n
      5. Hardware ID<\/li>\n
      6. Keyboard layouts<\/li>\n
      7. Screenshot<\/li>\n
      8. Screen resolution<\/li>\n
      9. Operating system<\/li>\n
      10. UAC settings<\/li>\n
      11. User-Agent<\/li>\n
      12. Information about PC components such as video cards and processors<\/li>\n
      13. Installed antivirus solution<\/li>\n
      14. Data\/Files from common folders such as desktop\/downloads, etc.<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n
        \u00a0<\/div>\n
        The current variant continues to perform all these functions. However, this new version includes additional changes and improvements, which are detailed below: <\/div>\n

        Infection vector for the RedLine Stealer variant (Omicron Stats.exe)<\/b><\/h3>\n

        While we have not been able to identify the infection vector for this particular variant, we believe that it is being distributed via email. Past RedLine Stealer variants are known to have been distributed in COVID-themed emails to lure victims. The file name of this current variant, \u201cOmicron Stats.exe,\u201d was used just as the Omicron variant was becoming a global concern, following the pattern of previous variants. And given that this malware is embedded in a document designed to be opened by a victim, we have concluded that email is the infection vector for this variant as well. <\/p>\n

        Victimology<\/b><\/h3>\n

        Based on the information collected by FortiGuard Labs, potential victims of this RedLine Stealer variant are spread across 12 countries. This indicates that this is a broad-brush attack and that the threat actors did not target specific organizations or individuals.<\/p>\n

        Functionality<\/b><\/h3>\n

        Once Omicron Stats.exe is executed, it unpacks resources encrypted with triple DES using ciphermode ECB and padding mode PKCS7. Unpacked resources are then injected into vbc.exe. It copies itself to\u00a0C:Users[Username]AppDataRoamingchromedrlvers.exe and creates the following scheduled task for persistence:<\/p>\n

        schtasks \/create \/sc minute \/mo 1 \/tn "Nania" \/tr
        "’C:Users[Username]AppDataRoamingchromedrlvers.exe’" \/f<\/p>\n

        The malware then attempts to exfiltrate the following system information from Windows Management Instrumentation (WMI):<\/p>\n