Internet

How RedLine works, the malware that steals passwords

How RedLine works, the malware that steals passwords

The phishing and smishing attacks that continue to make their way onto users' devices all over the world on a daily basis were not enough. The new web threat takes the name of RedLine and brings with it some consequences that should not be underestimated, as it exploits a particularly recurring function used by users in the most popular Internet browsers: the saving passwords to automatically access the web.

The security researchers AhnLab ASEC investigated the dangers of the RedLine malware, who illustrated its functioning mechanism through a detailed report shared on the Internet in the last days of 2021. News that, in addition to confirming the growth of cybercrime, offers an implicit awareness of the fact that the phenomenon of cyber attacks will unfortunately continue to threaten our digital life, forcing users to keep the attention threshold high when surfing the Internet.

As anticipated in these lines, RedLine is a malware that behaves differently than some similar viruses we saw last year. While Joker targets Android devices for example, using some “flirtatious” apps loaded on the Play Store to remotely install paid services on the SIM card of the targeted user, RedLine instead looks at web browsers based on Gecko or Chromium (such as Google Chrome , Microsoft Edge ) for example) to carry out their criminal intentions. In particular, the malware steals cookies, credentials (usernames and passwords) and credit cards stored in programs to access the Internet, but also credentials and FTP and IM files from a device; it also has the power to download and execute additional malware and capture files stored on the operating system, and access certain system information (including for example IP addresses, usernames, keyboard layouts, UAC settings).

According to some reconstructions, RedLine first appeared on the Russian dark web during the 2020 lockdown, just when the restrictions of governments around the world have smartworking and distance learning have been relaunched. Its presence on the web has therefore been running for some time, but in the last period it has spread mainly through malicious XLL files distributed through the cloud platform Google Drive .

Two factors increase the danger of RedLine : diffusion, since it can be purchased on various criminalized crime forums by paying an economic consideration that varies between one hundred and fifty and two hundred dollars , depending on the version; but also the superfluity of knowing the rudiments of computer science, considering that – as explained by the same AhnLab ASEC report – the installation is within everyone's reach and with a few steps you will have a powerful tool that has the purpose of stealing the data of access of users relating to services on the web.

Cybercriminals try to infect users' computers through software such as RedLine Stelear (but more commonly known, as we have seen so far, also as simple RedLine ) to obtain (stolen) login data and in some cases even infecting the same device by installing additional malware. The information thus obtained is then exploited to access various victim accounts (by way of example, the profiles of the user registered on social networks, emails, bank accounts), spread spam campaigns and sell data on the dark web .

As discovered by AhnLab ASEC researchers, RedLine parses the content of the Login Data file used in all Chromium-based browsers. It not only takes possession of the credentials stored inside the browser password manager, but also shows interest in the websites for which the user has decided not to save any credentials , summarized in the same file. By doing so, cybercriminals can also exploit this second information to trace the fact that a given user has an account on a given website and incentivize the same attacker to carry out further phishing attacks in order to get hold of those credentials, using the mechanics of the social engineering we talked about about smishing.

Social engineering is the main vector that allows RedLine to hit users. Newer ways include a malicious file transmitted via Google Drive, consisting of Office documents carrying malicious code and XLL files , an add-on that allows developers to extend the functionality of Microsoft Excel . These files are then downloaded by the victim, who is tricked into downloading through the most varied psychological pressure techniques.

The danger of RedLine is explained in the example of the report, relating to the theft of a VPN account of a smartworking employee, credentials used three months later by the attackers to compromise the entire corporate infrastructure.

To defend against RedLine malware, it is advisable to follow some simple and effective remedies, including avoiding saving logins in web browsers. Instead, it is recommended to rely on secure external password managers such as Keepass and activate two-factor authentication on accounts.

RedLine also propagates through vectors as external files, artfully distributed by attackers through phishing campaigns sent by e-mail or, as we have seen, on Google Drive. The most common practices are therefore valid to defend against phishing attacks , including do not click immediately on the links but carefully check the complete domain address and download the attachments only after having ascertained the reliability of the source or sender.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Most Popular

To Top