Frame-14

Privacy Ninja

        • DATA PROTECTION

        • Email Spoofing Prevention
        • Check if your organization email is vulnerable to hackers and put a stop to it. Receive your free test today!
        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • AntiHACK Phone
        • Boost your smartphone’s security with enterprise-level encryption, designed by digital forensics and counterintelligence experts, guaranteeing absolute privacy for you and up to 31 others, plus a guest user, through exclusive access.

        • CYBERSECURITY

        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$3,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Secure your digital frontiers with our API penetration testing service, meticulously designed to identify and fortify vulnerabilities, ensuring robust protection against cyber threats.

        • Network Penetration Testing
        • Strengthen your network’s defenses with our comprehensive penetration testing service, tailored to uncover and seal security gaps, safeguarding your infrastructure from cyber attacks.

        • Mobile Penetration Testing
        • Strengthen your network’s defenses with our comprehensive penetration testing service, tailored to uncover and seal security gaps, safeguarding your infrastructure from cyber attacks.

        • Web Penetration Testing
        • Fortify your web presence with our specialized web penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats.

        • RAPID DIGITALISATION

        • OTHERS

New RedLine Malware Version Spread as Fake Omicron Stat Counter

New RedLine Malware Version Spread as Fake Omicron Stat Counter

A new variant of the RedLine info-stealer is distributed via emails using a fake COVID-19 Omicron stat counter app as a lure.

RedLine is a widespread commodity malware sold to cyber-criminals for a couple of hundred USD. It supplies dark web markets with over half of the stolen user credentials sold to other threat actors.

The malware is actively developed and continually improved with widespread deployment using multiple distribution methods.

RedLine targets user account credentials stored on the browser, VPN passwords, credit card details, cookies, IM content, FTP credentials, cryptocurrency wallet data, and system information.

The most recent variant was spotted by analysts at Fortinet, who noticed several new features and improvements on top of an already information-stealing functionality.

Also Read: 10 Simple and Useful Tips On Agreement Drafting Services

Targeting additional data

The new variant has added some more information points to exfiltrate, such as:

  • Graphics card name
  • BIOS manufacturer, identification code, serial number, release date, and version
  • Disk drive manufacturer, model, total heads, and signature
  • Processor (CPU) information like unique ID, processor ID, manufacturer, name, max clock speed, and motherboard information

This data is fetched upon the first execution of the “Omicron Stats.exe” lure, which unpacks the malware and injects it into vbc.exe.

The additional apps targeted by the new RedLine variant are the Opera GX web browser, OpenVPN, and ProtonVPN.

Previous versions of RedLine targeted regular Opera, but the GX is a special “gamer-focused” edition growing in popularity. 

Moreover, the malware now searches Telegram folders to locate images and conversation histories and send them back to the threat actor’s servers.

Finally, local Discord resources are more vigorously inspected to discover and steal access tokens, logs, and database files.

New RedLine variant searching for Discord logs
New RedLine variant searching for Discord logs
Source: Fortinet

Campaign characteristics

While analyzing the new campaign, researchers found an IP address in Great Britain communicating with the command and control server via the Telegram messaging service.

The victims are spread across 12 countries, and the attack doesn’t focus on specific organizations or individuals.

Also Read: Top 5 Impact of Data Loss on Business

“This variant uses 207[.]32.217.89 as its C2 server through port 14588. This IP is owned by 1gservers,” explains the Fortinet report

“Over the course of the few weeks after this variant was released, we noticed one IP address (149[.]154.167.91) in particular communicating with this C2 server.”

As this is a new version of RedLine, we will likely see other threat actors adopt its use soon.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us