ESET experts have reported that the RedLine malware was disrupted due to the removal of several repositories used to manage the malware from GitHub.
RedLine is a powerful information-stealing malware that has been active since 2020. It is capable of extracting credentials from browsers, FTP clients, emails, instant messengers, VPNs, and more. Additionally, the malware can steal authentication cookies, card numbers stored in browsers, chat logs, local files, and cryptocurrency wallet databases.
RedLine is sold on the dark web and via Telegram on a subscription basis. According to experts, it was offered by 23 of the 34 Russian-speaking hack groups that distributed infostealers last year. Effectively, clients buy access to a universal control panel from hackers, which acts as a malware command and control server, allowing them to create new malware samples and manage stolen information.
In collaboration with specialists from the SaaS company Flare, ESET analysts discovered that RedLine control panels use GitHub repositories as resolvers for their caches. The researchers identified four such repositories and quickly alerted GitHub developers about them. As a result, the work of these repositories was suspended, which helped to disrupt the functioning of RedLine itself.
