Rewterz Threat Alert – RedLine Stealer – Active IOCs
February 14, 2022Rewterz Threat Advisory – Multiple Node.js Vulnerabilities
February 15, 2022Severity
Medium
Analysis Summary
In early 2016, LokiBot was originally made available on underground forums for cybercriminals to use against Microsoft Android phones. This malware steals sensitive information including, usernames, cryptocurrency wallets, and other credentials via Trojan software. Malware grabs credentials by monitoring browser and desktop activities from the password storage using a keylogger. LokiBot can also install a backdoor into affected systems, allowing an attacker to install other payloads. Spam emails, communication channels such as SMS, Skype, and malicious websites are all used to spread LokiBot. To keep track of what users are doing (for instance, recording keystrokes), this malware can be utilized.
Impact
- Information Theft
- Exposure of Sensitive Data
- Credential Theft
Indicators of Compromise
IP Address
- 192[.]227[.]129[.]60
MD5
- 8d2374ca90b2fa4c236af40e89de41a7
- 1662b1c6e8a2e10406b8ac5217d9888f
- ed457ebace5e92818a8863088c2d5bc6
SHA-256
- da3208711d472f6c9af1141faa1272cab7b80cbaef1cfe0c24c5b1597f7a0c99
- 9faa1e0ec64017af9d2ec7a844046ea3baf425de027afc3bd100712f377a9570
- e02e76b801c04fa9909a938660de5a477fded8303b54d7a51f6a5bb2a8177398
SHA-1
- f92315f8bb635d7934dd77657a11b482bd70464e
- 36591bd5d31214cbbc0153775bbdbef29e31318e
- 43c7fa12d8ac0b778019a7dc6923b6de627f19dd
URL
- http[:]//164[.]90[.]194[.]235/?id=20300464226184894
- http[:]//secure01-redirect[.]net/gd2/fre[.]php
- http[:]//192[.]227[.]129[.]60/399/vbc[.]exe
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.