Redline Malware Used to Steal Passwords from Browsers and Corporate VPNs

Redline malware is now the most commonly used information stealer and is being used in attacks on businesses and consumers. Redline malware first appeared in early 2020 and the number of victims has been steadily growing, and on some cybercrime forums, around half of all stolen credentials listed for sale have come from Redline malware infections.

Redline malware is a commodity malware that is being sold on cybercrime forums for around $200. The malware is easy to use, requires little skill, and can be used in lucrative attacks. The malware is distributed through a variety of methods, including phishing emails, pirated software, and YouTube scams.

Redline malware can steal a wide range of information once installed, including financial data such as credit card numbers, credentials, cookies, VPN/FTP credentials, cryptocurrency wallets, and autocomplete information stored in browsers such as Chrome, Opera, and Edge. The stolen information is saved in an archive that is uploaded to a remote server and is then misused or sold on cybercrime forums. Redline malware can also download additional payloads on infected systems and attackers can remotely run commands.

The extent to which the malware variant has been used was recently confirmed by security researcher Bob Diachenko, who identified a server used by the operator of the malware to store the archives – named logs – from infected devices. While this server should have been secured to prevent unauthorized access, the attacker had unwittingly left it exposed over the Internet. Diachenko found 6 million logs that had been exfiltrated by the malware between August and September 2021. The server does not appear to still be in use as in the days since the discovery the number of logs on the server has not increased.

An analysis of the logs revealed there were multiple files for many of the victims, with a separate log created for different accounts. Diachenko supplied the logs to Have I Been Pwned which has now added 441,657 unique email addresses to its database that have been compromised by Redline malware.

Some of the logs contained LastPass master passwords, which Diachenko has suggested could account for the recent suspected LastPass data breach. LastPass confirmed its systems had not been breached and suggested a credential stuffing campaign was behind the fraudulent attempts to access users’ accounts using their genuine LastPass master passwords.

AhnLab SEC has recently issued a warning about storing passwords in browsers, as while convenient for logging into online service, infection with Redline malware can see those passwords stolen. Passwords stored in browsers are encrypted, but that does not prevent the passwords from being obtained and decrypted. As long as the user is logged in, the malware can programmatically decrypt encrypted passwords and extract them from the browser profile. When users refuse to store a password in the browser, the browser will still note that a user has an account and will mark the site as blacklisted. That means that while the attacker will not have the password, it will allow them to easily perform credential stuffing attacks using the passwords that have already been obtained in the hope that the user has used the same passwords to secure multiple accounts.

The malware highlights the security risks of storing passwords in browsers and of reusing the same password on multiple websites. It is far better to use a password manager for storing passwords and to use the password generator of a password manager to generate a unique password for all online accounts. As an additional security measure, you should also configure multifactor authentication on all accounts, especially highly sensitive accounts such as online banking, email, etc.

If your email account is included in the Redline sample it is important to conduct a scan using antivirus software to remove all traces of Redline malware and to change ALL passwords.

Author: NetSec Editor