New RedLine Malware Version Spread as Fake Omicron Stat Counter

A new variant of the RedLine info-stealer is distributed via emails using a fake COVID-19 Omicron stat counter app as a lure.

RedLine is a widespread commodity malware sold to cyber-criminals for a couple of hundred USD. It supplies dark web markets with over half of the stolen user credentials sold to other threat actors.

The malware is actively developed and continually improved with widespread deployment using multiple distribution methods.

RedLine targets user account credentials stored on the browser, VPN passwords, credit card details, cookies, IM content, FTP credentials, cryptocurrency wallet data, and system information.

The most recent variant was spotted by analysts at Fortinet, who noticed several new features and improvements on top of an already information-stealing functionality.

Also Read: 10 Simple and Useful Tips On Agreement Drafting Services

Targeting additional data

The new variant has added some more information points to exfiltrate, such as:

• Graphics card name
• BIOS manufacturer, identification code, serial number, release date, and version
• Disk drive manufacturer, model, total heads, and signature
• Processor (CPU) information like unique ID, processor ID, manufacturer, name, max clock speed, and motherboard information

This data is fetched upon the first execution of the “Omicron Stats.exe” lure, which unpacks the malware and injects it into vbc.exe.

The additional apps targeted by the new RedLine variant are the Opera GX web browser, OpenVPN, and ProtonVPN.

Previous versions of RedLine targeted regular Opera, but the GX is a special “gamer-focused” edition growing in popularity. 

Moreover, the malware now searches Telegram folders to locate images and conversation histories and send them back to the threat actor’s servers.

Finally, local Discord resources are more vigorously inspected to discover and steal access tokens, logs, and database files.

Campaign characteristics

While analyzing the new campaign, researchers found an IP address in Great Britain communicating with the command and control server via the Telegram messaging service.

The victims are spread across 12 countries, and the attack doesn’t focus on specific organizations or individuals.

Also Read: Top 5 Impact of Data Loss on Business

“This variant uses 207[.]32.217.89 as its C2 server through port 14588. This IP is owned by 1gservers,” explains the Fortinet report

“Over the course of the few weeks after this variant was released, we noticed one IP address (149[.]154.167.91) in particular communicating with this C2 server.”

As this is a new version of RedLine, we will likely see other threat actors adopt its use soon.