RedLine Malware Exploits Pirated Software to Steal Logins

December 10, 2024

Hackers targeted users of unlicensed corporate software by distributing malicious activators on accounting forums, which disguised as legitimate tools contained the RedLine stealer.

The attackers employed sophisticated techniques, including .NET Reactor obfuscation and multi-layered encryption, to conceal the malicious payload, which started in January 2024 and poses a significant threat to users of unlicensed software.

They are targeting entrepreneurs using business automation platforms by distributing a malicious HPDxLIB activator, which is disguised as a legitimate update, is developed using .NET, and includes a self-signed certificate with the fingerprint 1c964ea8c58e03cb8517917d062d30f9ad134d29.

The attackers promote this malware on forums related to business ownership and accounting, emphasizing its ability to bypass license checks. Despite warnings about the potential presence of the RedLine stealer, users are still advised to disable security measures to run the malicious software.

By distributing a malicious techsys.dll library disguised as a legitimate update, they corporate software, and when the victim replaces the original library, the malicious one is loaded by the legitimate 1cv8.exe process.

This library extracts and loads a hidden malicious DLL, which, in turn, initiates the information stealing process, which exploits user trust and does not involve any software vulnerabilities.

The analyzed library contains a heavily obfuscated, large block of data and, upon decryption, reveals itself to be the RedLine stealer, where the encryption scheme involves a two-step process.

Firstly, the data is XORed with a key specified in the header, while secondly, the resulting Unicode string is further processed, likely involving additional decryption layers or encoding schemes, which makes static analysis challenging, hindering the immediate detection of malicious intent.

presence of the RedLine stealer in the HPDxLIB assembly.

The Base85-encoded data was found to be further encrypted using AES-256-CBC, where the cryptographic keys, including the key and initialization vector (IV), were obfuscated through XOR encryption with predefined constants.

After decryption, the key and IV were revealed as “Tk[HGC-uBbtW8@F>_dyneANrJ<x$5.K*” and “brTY4wtE_”(9hsC)U&{eF:?q>;VLz/x@”, respectively.

RedLine stealer, a Malware-as-a-Service, is distributed through a complex obfuscation process, as the payload, encoded in Base85, is decrypted using AES-256-CBC with keys and IVs derived from SHA-512 hashes of keyText and ivText.

The decrypted data, compressed with Deflate, is decompressed and loaded into memory via Assembly.Load(), where the stealer exfiltrates sensitive information like browser data and system details to a C&C server, such as 213.21.220[.]222:8080, which indicates potential widespread distribution and usage of RedLine by various threat actors.

According to Secure List, cybercriminals are targeting Russian-speaking entrepreneurs using a sophisticated stealer implant disguised as a legitimate software solution, which is aimed at businesses rather than individuals and highlights the risks of pirated software.

By compromising systems through unlicensed software, attackers can steal sensitive data, potentially leading to data breaches and cyber extortion. To mitigate these risks, businesses should prioritize the use of licensed software and implement robust security measures.