False Omicron Stat Counter App Embedded with New RedLine Malware Version
A Recent Variant of the Well-Known Info-Stealer RedLine Has Emerged.
A false COVID-19 Omicron stat counter app is being leveraged as a lure in a current malicious campaign to distribute a new Redline malware version through emails.
What Is RedlLine Malware?
According to Bleeping Computer, RedLine is a well-known malware sold to threat actors in exchange for hundreds of dollars, being a provider of stolen user credentials for the dark web. Threat actors behind RedLine use various distribution techniques and are permanently developing the malware.
The data RedLine info-stealer usually targets details of credit cards, cookies, crypto wallet data, browser user credentials, IM content, VPN passwords, system data along FTP credentials.
What’s New in the Recent Version of RedLine Malware?
Researchers from Fortinet have recently published a report detailing a new variant of the RedLine malware encompassed in an executable dubbed “Omicron Stats.exe”.
The experts mentioned that
While we have not been able to identify the infection vector for this particular variant, we believe that it is being distributed via email. Past RedLine Stealer variants are known to have been distributed in COVID-themed emails to lure victims. The file name of this current variant, “Omicron Stats.exe,” was used just as the Omicron variant was becoming a global concern, following the pattern of previous variants. And given that this malware is embedded in a document designed to be opened by a victim, we have concluded that email is the infection vector for this variant as well.
It seems that the data points range the new variant exfiltrates was extended, as it targets names of graphics cards, BIOS manufacturer, identification code, serial number, release date, and version, Disk drive manufacturer, model, total heads, and signature along with processors (CPU) information like unique ID, processor ID, manufacturer, name, max clock speed, and motherboard information as per the researcher’s information.
After the Omicron Stats.exe is executed, the malware will be unpacked and then it will be injected into vbc.exe.
This new RedlIne malware version also targets applications like OpenVPN, Opera GX web browser, and ProtonVPN. What’s more, is that the info-stealer searches Telegram images with the purpose of detecting conversation histories and images which will be then transmitted to the servers of the threat actors. Eventually, local Discord resources are analyzed to identify and perform theft of database files, access tokens, and logs.
The researchers also mentioned that during their investigation of this recent malicious campaign employing a new version of the RedLine malware an IP address was located in Great Britain that was communicating with the C&C server by means of Telegram. It seems that the threat actors target victims from 12 different countries with no focus on certain individuals or companies.
This 149[.]154.167.91 IP address is located in Great Britain and is part of the Telegram Messenger Network. It seems that the C2 server may be controlled by the Redline operators through an abused Telegram messaging service. This conclusion is not a huge leap as the malware author(s) offer both dedicated purchasing and support lines through their respective Telegram groups.