RedLine Stealer Returns in a New Campaign

More deets about the campaign

• According to the Qualys Threat Research Team, the campaign distributing the RedLine InfoStealer was active from January to March.
• The campaign made use of cracked software enclosed within Zip archives.
• These fake software imitated legitimate cryptocurrency or NFT wallet applications such as Gigaland NFT marketplace and Dinox (NFT-themed collectible game) to lure users.
• Users were redirected to these cracked software archives via URL shorteners and fake sites hosted on Discord’s CDN. 
• Once the victim clicked on these fake archives, PureCrypter downloader was deployed and later executed RedLiner Stealer. 

About PureCrypter

• PureCrypter is a fully-featured loader being sold since March 2021.
• It is being sold by a threat actor that goes by the name ‘PureCoder’ in the underground forum at a price of $59.
• Written in .NET language and obfuscated with SmartAssembly, the loader is capable of delivering a variety of remote access trojans and information-stealers.

Recent RedLine Stealer observed

• In May, researchers discovered a campaign using a series of YouTube videos to distribute RedLine Stealer.
• These videos took advantage of the global interest in NFTs and lured victims to buy Binance NFT Mystery Boxes when available. 
• In another incident, the operators of the info-stealer were observed making use of the RIG Exploit Kit to spread the malware.

Conclusion