Zscaler specialists discovered several malicious campaigns in which the RedLine infostealer is distributed under the guise of various pirated software, including 3DMark, Adobe Acrobat Pro, MAGIX Sound Force Pro, and so on.
The researchers say that SEO poisoning and malicious advertising are used to promote sites with dangerous “pirates”, which allows attackers to rank high in Google search results.
Users are lured to such sites by offering free pirated versions of Adobe Acrobat Pro, 3DMark, 3DVista Virtual Tour Pro, 7-Data Recovery Suite, MAGIX Sound Force Pro, Wondershare Dr. Fone, as well as various cracks and key generators.
At the same time, malicious executables masquerading as promised software installers are often placed on third-party file hosting sites, so landing pages only redirect victims to other places to download files.
The downloaded files are usually archives containing a password-protected 1.3 MB ZIP file (to avoid the attention of anti-virus software) as well as a TXT file with a password. When unpacking, such a file is artificially reduced to 600 MB by filling it with unnecessary bytes.
The resulting executable is a malware loader that spawns an encoded PowerShell command, and thus launches the Windows command prompt (cmd.exe) even after a 10 second timeout. The cmd.exe process in turn downloads a fake JPG file, which is actually a DLL file with the contents in reverse order.
The loader reorders the contents of the file, extracting the DLL and the RedLine infostealer payload.
Redline Stealer is a very powerful malware designed to steal information. It is capable of extracting credentials from browsers, FTP clients, email, instant messengers, and VPNs. In addition, the malware can steal authentication cookies and card numbers stored in browsers, chat logs, cal files and database of cryptocurrency wallets. Currently, RedLine Stealer is actively sold on the dark web, and a monthly subscription costs approximately $100.
Zscaler analysts note that in some cases, attackers used another malware to steal data – RecordBreaker. The malware has been packaged with Themida to obfuscate and prevent detection. The RecordBreaker steals just as much data as the Redline Stealer, so it doesn’t really matter to the victims which payload was used by the hackers.