Is called RedLine the new malware which represents a serious security problem due to the widespread use of the password saving function for automatic access to online services, widely provided and used in web browsers.
In a report which details the analysis, the AhnLab ASEC experts focused on studying the information that RedLine steals during the attacks, which in fact target the most popular web browsers such as Google Chrome, Microsoft Edge e Opera.
RedLine: how the password-stealing malware works
The stealer in question is a purpose-built tool for stealing information and can be purchased for around $ 200 on cybercrime forums. Furthermore, the installation and start-up of the software do not require special knowledge and efforts on the part of the operator: RedLine can be used by anyone with a minimum of familiarity.
GDPR certifications: all the advantages for the organizations that join them
The example described by the analysts shows the steps taken by RedLine operators to steal a remote employee’s VPN account credentials, which were used three months later to compromise the company’s network.
This happened despite the fact that an anti-malware solution was installed on the infected computer, which however was unable to detect and remove RedLine.
The malware targets the login data file that all Chromium-based browsers have. It is a SQLite database (an open source DBMS that allows you to create a database without standalone processes but based on a text file) that stores usernames and passwords.
Even when users refuse to store their credentials in the browser, the password management system will still add an entry indicating that a particular site has been blacklisted. Although attackers cannot steal the blacklisted passwords, they understand that the account “exists”. This will allow them to fill credentials with brute force attacks or by exploiting thesocial engineering.
Certainly relevant to underline the importance of do not save logins in their web browsers, should this be the habit. It has never been a good security and privacy practice, even more so now, in light of the discovery of the RedLine malware. It is much safer and more reliable to use a good password manager outside the browser.
Tips for preventing RedLine infection
Another great importance is the prevention of RedLine infection. We must in fact put in place a behavior that does not allow this malware to enter our computer, possibly as much as we undertake not to save passwords on our web browser.
We know, in fact, that RedLine propagates (especially lately, as analysts have discovered) through malicious XLL files (Excel files in appearance, but which carry malware), which are normally provided to us by convincing invitations to download such files from websites of phishing, usually distributed by links leading to Google Drive (preferred hosting for these malicious files).
Extreme attention, therefore, in the first place to phishing: we always check very well which website we are on (also by carefully checking the complete domain address), which is known to us before downloading a certain file (however tempting); if we download a file from a well-known site, it is unlikely that it will be provided to us by sharing it on Google Drive; if we find ourselves in this situation we also analyze this suspicion.
A cyber-hygiene to stop illegal data trade
What must be clear is that if we avoid the infection a priori (before a possible antivirus warns us), only with good practices and particular attention, RedLine has no way to go into operation and the trade of this amount of stolen data will decrease. , rendering it harmless.
After stealing the credentials, attackers use them in further attacks or try to sell them on DarkNet markets. An example of how popular RedLine has become among cybercriminals is the rise of the 2easy underground market, where half of all data sold was stolen using this malware.
Furthermore, it is significant a data that we have collected by monitoring the activity on the main forums of the sector (basically RaidForums, BHF and Demon Forums): only for the month of December, up to the time of writing, 20 different announcements of sales of logs, credentials and useful information exfiltrated through RedLine malware.
In fact, in the last few hours, the popular data breach notification service I Have Been Pwned, by researcher Troy Hunt, came into contact with 441,000 email addresses added to its lists, coming from a server used to store more than 6 million logs stolen with RedLine, but not adequately protected from the actor of such threats.
These are precisely those logs that are used individually for sale on the forums.
@ALL RIGHTS RESERVED