Researchers have disclosed a campaign employing RIG Exploit Kit (EK) to spread RedLine stealer malware. RIG EK abuses CVE-2021-26411, an Internet Explorer (IE) flaw causing memory corruption.
About the malware campaign
Researchers from Bitdefender have spotted the recent campaign and found that RIG EK is abusing CVE-2021-26411 to start an infection process that spreads a copy of the RedLine stealer in packed form.
The exploit creates a new command-line process to drop a JavaScript file at a temporary directory.
This file is used to download a second RC4-encrypted payload, which is later executed.
To evade antivirus detection, the resulting DLL files do not use or touch disk memory.
About RedLine stealer
Once RedLine is dropped on a compromised machine as an obfuscated DotNET executable file, it tries to connect to the C2 server (185.215.113.121:15386). RedLine sends a package of system details to the C2, such as Windows username, serial number, list of installed software/running processes, active language, a screenshot, and time zone.
The unpacking of the malware is a six-stage process, including runtime decryptions, decompressions, key retrievals, and assembly.
The communication uses an encrypted non-HTTP channel and the first request involves authorization. The second request gets a response in the list of settings to determine actions that need to be performed.
Subsequently, RedLine collects data according to those settings, targeting various software such as FTP clients, VPNs, Discord, Telegram, Steam, cryptocurrency wallets/plugins, and web browsers, including Chrome, Opera, and Firefox.
Conclusion
It seems the infamous RIG EK is now making a comeback by incorporating a vulnerability in IE. Thus, ensure that anti-virus and EDR solutions possess exploit detection capabilities. Further, use IOCs and keep operating systems and third-party applications updated and apply security fixes.