Global campaign - Germany hardest hit after India: Password thief RedLine Stealer steals confidential login information from Internet Explorer users. The outdated browser is vulnerable to a dangerous vulnerability.
Bitdefender Labs is currently observing an intensive campaign to deploy malicious code using the RIG exploit kit. Among other things, the attackers distribute the password thief RedLine Stealer to exfiltrate sensitive credentials such as passwords, credit card information, crypto wallets, and VPN login details. After India, Germany is the country most affected by the global campaign, which has increased significantly in intensity since the beginning of April.
RIG exploit kit for Internet Explorer
Cyber criminals proliferate RIG exploit kit for Internet Explorer vulnerability CVE-2021-26411 via advertisements on legitimate websites. They then use this Internet Explorer vulnerability to exploit the RedLine Stealer payload, among other things.
This malware first systematically explores the target system, looking for usernames, hardware (processor, graphics card and memory), the installed browser and antivirus solutions, running processes and the time zone. It then sends the information to the command and control server. This includes passwords, credit card information, access data to numerous crypto wallets, login data from various VPN providers (NordVPN, OpenVPN, ProtonVPN), browser cookies as well as login data and chat logs from instant messaging services such as Telegram or content for the automatic completion of online forms. The malware also searches for text information in files, with the search pattern being specified.
About RedLine Stealer and RIG
RedLine Stealer is a cheap password stealer that its creators offer on underground forums. In addition to passwords and credit card information, it also steals other sensitive data – and sends it to the command and control server. Security experts from Cyberint, Proofpoint and HP have described the RedLine stealer source code 2020 and 2021.
What businesses and consumers should do now
There are several points that IT administrators and home users should now consider:
- You should ensure that your antivirus and endpoint detection and response solutions detect these exploits.
- You should look out for so-called indicators of compromise such as signatures and exposure to specific IP addresses. Specific indicators can be found in the Bitdefender research below.
- Businesses and private users should keep operating systems, browser applications and third-party providers up to date and prioritize updating systems.
About Bitdefender Bitdefender is a leading global provider of cybersecurity solutions and antivirus software, protecting over 500 million systems in more than 150 countries. Since it was founded in 2001, the company's innovations have consistently ensured excellent security products and intelligent protection for devices, networks and cloud services for private customers and companies. As the supplier of choice, Bitdefender technology is found in 38 percent of security solutions deployed around the world and is trusted and recognized by industry experts, manufacturers and customers alike. www.bitdefender.de