While the malware shares a command and control server with Redline, it diverges in behavior. Unlike Redline, this variant does not engage in typical actions like stealing browser information and saving passwords. The distribution of the malware involves packaging it as ZIP files containing an MSI installer which unpacks malicious files upon execution.

The installer prompts users to share the program with friends to unlock its full version, adding an element of social engineering to its propagation. Once installed, the malware establishes persistence through scheduled tasks and communicates with a command-and-control (C2) server to send system information and await further commands.

The method of initial infection remains unclear, but information-stealing malware like this is commonly disseminated through malvertising, deceptive software download sites, and other untrustworthy sources. Users are cautioned against downloading unsigned executables and files from dubious websites to mitigate the risk of infection.

This incident underscores the evolving tactics of cybercriminals, who exploit unsuspecting users by disguising malware as legitimate software. Even platforms like Microsoft's GitHub typically considered reliable are not immune to such threats. Collaboration with reputable security firms and adopting cautious browsing habits are essential to safeguard against these increasingly sophisticated attacks.

Impact

• Sensitive Information Theft
• Cryptocurrency Theft

Indicators of Compromise

SHA1

• e1eab61b64b46d27746c969d1bfb65c24c49a57e
• a67b14c2ddfda8f770cfeef0d3b676b433df500c
• 620c61603dfd44074133b20ae15f2b1a7478be9a
• 8b56571cd8c39978c657818f2ff6b05753c9fd94

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Never download apps from unofficial sources.
• Emails from unknown senders should always be treated with caution.
• Never trust or open ” links and attachments received from unknown sources/senders.
• Passwords – Ensure that general security policies are employed including implementing strong passwords, correct configurations, and proper administration security policies.
• Admin Access – limit access to administrative accounts and portals to only relevant personnel and make sure they are not publicly accessible.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.