The vast majority of stolen credentials currently sold on two dark web underground markets have been collected using the RedLine Stealer malware. Its part of the infostealer family, a type of malware that once it infects a computer, its primary purpose is to collect as much user data as possible and then send it to the attackers, who typically put it up for sale online.

Data collection capabilities included with the RedLine Stealer include the ability to extract login credentials from web browsers, FTP clients, email apps, instant messaging clients, and VPNs.

Advertisements

RedLine can also extract authentication cookies and card numbers stored inside browsers, chat logs, local files, and cryptocurrency wallet databases.

Initially developed by a programmer named REDGlade, the malware has been sold on several underground hacking forums since March 2020. After the stealer received positive reviews in a hacking forum thread, pirated versions of the RedLine Stealer were also released on hacking forums a few months later, in August this year, allowing it to spread to even more threat actors who didn’t have to pay for it.

RedLine had undeniably found a loyal customer base. The vast majority of stolen credentials that are being offered for sale on two underground markets originate from systems that were infected with the RedLine Stealer.

Both Amigos Market and Russian Market were posting identical listings regularly that contained the same timestamps, infostealer variants used, geographical locations of affected machines, and ISPs

Advertisements

This fragmentation opens the door to crippling the supply of several underground markets by going after the makers and sellers of these infostealers.