Researchers at Cyble Research and Intelligence Labs (CRIL) discovered an advanced phishing site that mimics the legitimate Convertio website known for spreading the Redline stealer malware strain. The malware was delivered via a fake file converter phishing website since many users utilize the online converter tool on a daily basis.
 
Convertio is an easy online tool that converts files into a variety of file formats, including spreadsheets, documents, archives, images, eBooks, audio, and video.
 

Modus operandi

Users are prompted to select the input file when they click on the phishing page. Once a file has been selected for conversion, users can choose a target file extension.
  • Users are redirected to the download page once they select the type of file and click the "Convert" button on the page.
  • Viruses are spread when a user clicks on the "download" button on a phishing website, which downloads a zip archive.
  • Instead of the actual file type that was selected, a shortcut file is included in the zip archive.
  • This shortcut file downloads two BAT files named "2.bat" and "3.bat", and once run, it adds the file extensions "exe" and "bat". Afterward, it downloads an executable file with a PDF payload.
 

Payload details

Based on the behavior, the malware executable was identified as RedLine Stealer. 
  • It targets web browsers, crypto wallets, and applications such as FileZilla, Discord, Steam, Telegram, and VPN clients.
  • Moreover, it gathers information about the infected system, such as its OS, hardware, executing processes, anti-virus products, installed programs, and language. 
  • The remote server receives all the stolen information after collecting the victim's information.
 

Conclusion

Web applications with a large user base or audience are frequently targeted by threat actors. As a result, they have a wider pool of victims to launch phishing campaigns from. CRIL recommends the use of strong passwords, two-factor authentication, and blocking URLs that spread malware to protect against such phishing attacks.
Cyware Publisher

Publisher

Cyware