Bit Defender report says Redline malware has been deployed by the threat actors that launched thousands of attacks against systems in more than 150 countries and territories this month.
Bitdefender noticed a campaign using CVE-2021-26411 exploits found in Internet Explorer to deliver the RedLine Stealer that allows attackers to gain access to system information like usernames, hardware, browsers installed, and anti-virus software before then exfiltrating passwords, credit cards, crypto wallets and VPN logins to a remote command and control server.
With the RedLine Stealer, hackers can extract login credentials from web browsers, FTP clients, email apps, instant messaging clients, and VPNs before selling them on underground markets.
A heat map showing the global distribution of the malware. Organizations in Brazil, the United States, Germany, Egypt, China, and Canada all have seen hundreds of attacks involving RedLine.
Insikt Group discovered in October that most stolen credentials currently sold on two dark web underground markets were collected using the RedLine Stealer malware.
The malware has been sold on several underground hacking forums since March 2020 and was initially developed by a programmer named REDGlade. Threat actors and groups were particularly drawn to the malware because pirated versions of it were released on hacking forums.
Last year, a North Korean cyber-espionage group used the Internet Explorer vulnerability to breach one of the most popular North Korean-themed news sites on the internet in order to carry out a watering hole attack and infect some of the site’s visitors with malware.
Security firm Volexity said in a report that the threat actor used public proof-of-concept code posted online. The report provides a detailed review of how the actors behind the campaign used CVE-2021-26411, a newer exploit in the Internet Explorer and legacy Edge browsers.