A new variant of the RedLine malware has been discovered that spreads via emails using a fake Omicron stat counter app. RedLine is a commodity malware that is available for a couple of hundred dollars.
RedLine malware out on a hunting
The latest variant of RedLine was spotted by Fortinet researchers in the form of Omicron Stats[.]exe file.
The malware harvests credentials saved on VPN services including OpenVPN, ProtonVPN, and Opera GX.
The malware searches Telegram folders to find images and conversation histories and sends them to the attacker’s servers.
Moreover, it thoroughly inspects local Discord resources to find and steal logs, database files, and access tokens.
The victims of the attack campaign are reportedly distributed across 12 countries.
Added capabilities
The variant has been upgraded with multiple improvements along with the already existing information-stealing ability. The new variant now steals a wide range of data, such as graphics card name, BIOS manufacturer, identification code, serial number, release date, version, and disk drive manufacturer details.
Additional details
An IP address was found in Great Britain communicating with the C2 server through Telegram.
The new variant uses 207[.]32[.]217[.]89 as a C2 server at port 14588 and is owned by 1gservers.
After a few weeks of being released, another IP address (149[.]154[.]167[.]91) communicated with this C2 server.
Conclusion
RedLine operators are insensitively taking advantage of the ongoing COVID-19 crisis. This variant is more capable and steals more information than previous variants. Security teams are advised to deploy a reliable anti-malware solution, encrypt important data, and use a network firewall, to say the least, to stay protected.