Cyware Social will be sunset on April 15, 2026. The service is being replaced by Cyware's Daily Threat Intel Briefs,
offering curated security advisories on the latest threats. Enterprise users can contact us here → for more details.

Alerts Events DCR
Go to listing page

RIG EK Abuses IE Vulnerability to Spread RedLine Malware

RIG EK Abuses IE Vulnerability to Spread RedLine Malware
Researchers have disclosed a campaign employing RIG Exploit Kit (EK) to spread RedLine stealer malware. RIG EK abuses CVE-2021-26411, an Internet Explorer (IE) flaw causing memory corruption.

About the malware campaign 

Researchers from Bitdefender have spotted the recent campaign and found that RIG EK is abusing CVE-2021-26411 to start an infection process that spreads a copy of the RedLine stealer in packed form.
  • The exploit creates a new command-line process to drop a JavaScript file at a temporary directory.
  • This file is used to download a second RC4-encrypted payload, which is later executed.
  • To evade antivirus detection, the resulting DLL files do not use or touch disk memory.

About RedLine stealer

Once RedLine is dropped on a compromised machine as an obfuscated DotNET executable file, it tries to connect to the C2 server (185.215.113.121:15386). RedLine sends a package of system details to the C2, such as Windows username, serial number, list of installed software/running processes, active language, a screenshot, and time zone.
  • The unpacking of the malware is a six-stage process, including runtime decryptions, decompressions, key retrievals, and assembly. 
  • The communication uses an encrypted non-HTTP channel and the first request involves authorization. The second request gets a response in the list of settings to determine actions that need to be performed.
  • Subsequently, RedLine collects data according to those settings, targeting various software such as FTP clients, VPNs, Discord, Telegram, Steam, cryptocurrency wallets/plugins, and web browsers, including Chrome, Opera, and Firefox.

Conclusion

It seems the infamous RIG EK is now making a comeback by incorporating a vulnerability in IE. Thus, ensure that anti-virus and EDR solutions possess exploit detection capabilities. Further, use IOCs and keep operating systems and third-party applications updated and apply security fixes.
Cyware Publisher

Publisher

Cyware

Previous

Rocket Kitten Targets VMware Flaws In the Wild

Threat Actors

Next

Bumblebee Buzzes in to Sting BazarLoader

Malware and Vulnerabilities

RESOURCES
Cyber Fusion Center Guide
EVENTS
News and Updates, Hacker News

Get in touch with us now!

1-855-692-9927

Download Cyware Social App

Terms of Use Privacy Policy © 2023