Rewterz Threat Alert – RedLine Stealer – Active IOCs

Severity

High

Analysis Summary

RedLine Stealer is a type of malware that is used to steal sensitive information from infected computers. It is considered a relatively simple piece of malware and is often used as part of malicious campaigns to gather the information that can be used for further attacks. Redline can steal information from web browsers and has the ability to corrupt operating systems by installing harmful software. It steals user information from browsers, instant messaging applications, and file transfer protocol clients. According to the researchers, the malware first appeared in March 2020. Redline expanded throughout several nations during the COVID-19 epidemic and is still active today. Passwords, credit card information, cookies, usernames, locations, autofill data, and even hardware configurations such as keyboard layout, and UAC settings can be stolen by RedLine. RedLine is also capable of stealing cryptocurrency. This malware is a live campaign that is aimed at a variety of Asian organizations.

RedLine Stealer is considered a significant threat to individuals and organizations, as it can result in the theft of sensitive and valuable information. To protect against RedLine Stealer and other similar threats, it is recommended that individuals and organizations implement a robust cybersecurity program, including regular software updates, anti-malware protection, and employee training on the dangers of phishing and social engineering.

Impact

• Data Exfiltration
• Credential Theft
• Information Theft
• Financial Loss

Indicators of Compromise

MD5

ac77d649ebe1b648b4f67d023764a6ba
7ecbba643628f94ba19830291265d89c
a346afb6ac91d3c334389ee2a77375a9
2ba9e00bc5c34d1783e06a1a31f487d6
7c04add1396e063b621c65edf62a70b0
e0b75df6a7bb685a583f660b432412b3

SHA-256

b1e6b40dc89067c0df47a56be6d53dc365f154fc99985926e0db267d291e494a
d7f94c05f6d679ea0df97e773ee754166ecee640bd2b93e2b533bab9568cae84
128d2d2a6a859ba8f5d85b83bea6e97c360092672e84a1265a0efa3882456fb1
e976d956193d784606894bd29c825ab735629a9c7b15003209d031dc5b241f85
cd696e74d227b860465c0e30cd88140851a505aa91056c8a235faca2605d9494
2092daee7f4e0137f6295f3a4c8c4e159a5b5ab2da70d51c89ffe83a41d2a6a7

SHA-1

7df085d7d03e34ee988a1cb5f436454f8dbc69bf
03cf7509b4864f9d7f47ef65a47560083c4446e1
7400fc454ceb0afbfd06c3488fbc41c8b91b28ab
3e0cd567e031c669b1582002bb96f90005187430
27cc9bbb0736bc73ffa2bdf4a95f3c279f715685
724c076622a94c9b836981570dfe9fc9cd58557e

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Emails from unknown senders should always be treated with caution.
• Never trust or open ” links and attachments received from unknown sources/senders
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using multi-layered protection is necessary to secure vulnerable assets