A new campaign leveraging an exploit kit has been observed abusing an Internet Explorer flaw patched by Microsoft last year to deliver the RedLine Stealer trojan.
“When executed, RedLine Stealer performs recon against the target system (including username, hardware, browsers installed, anti-virus software) and then exfiltrates data (including passwords, saved credit cards, crypto wallets, VPN logins) to a remote command and control server,” Bitdefender said in a new report shared with The Hacker News.
The majority of infections occur in Brazil and Germany. The U.S. is followed closely by Egypt, Canada and China.
Exploit kits or exploit packs are comprehensive tools that contain a collection of exploits designed to take advantage of vulnerabilities in commonly-used software by scanning infected systems for different kinds of flaws and deploying additional malware.
Attackers use Rig Exec Kit as their primary method of infecting victims. In this instance, the Rig Excit Kit exploits the vulnerability code through compromised websites. This allows attackers to send RedLine Stealer payloads for subsequent attacks.
The flaw in question is CVE-2021-26411 (CVSS score: 8. 8), a memory corruption vulnerability impacting Internet Explorer that has been previously weaponized by North Korea-linked threat actors. It was addressed by Microsoft as part of its Patch Tuesday updates for March 2021.
“The RedLine Stealer sample delivered by RIG EK comes packed in multiple encryption layers […] to avoid detection,” the Romanian cybersecurity firm noted, with the unpacking of the malware progressing through as many as six stages.
RedLine Stealer is an information-stealing Trojan that can be found on underground forums. It has the ability to steal passwords and cookies, credit card and bank data, and crypto wallets and chat logs.
This is far from the only campaign that involves the distribution of RedLine Stealer. In February 2022, HP detailed a social engineering attack using fake Windows 11 upgrade installers to trick Windows 10 users into downloading and executing the malware.
