Go to listing page

RIG EK Abuses IE Vulnerability to Spread RedLine Malware

RIG EK Abuses IE Vulnerability to Spread RedLine Malware
Researchers have disclosed a campaign employing RIG Exploit Kit (EK) to spread RedLine stealer malware. RIG EK abuses CVE-2021-26411, an Internet Explorer (IE) flaw causing memory corruption.

About the malware campaign 

Researchers from Bitdefender have spotted the recent campaign and found that RIG EK is abusing CVE-2021-26411 to start an infection process that spreads a copy of the RedLine stealer in packed form.
  • The exploit creates a new command-line process to drop a JavaScript file at a temporary directory.
  • This file is used to download a second RC4-encrypted payload, which is later executed.
  • To evade antivirus detection, the resulting DLL files do not use or touch disk memory.

About RedLine stealer

Once RedLine is dropped on a compromised machine as an obfuscated DotNET executable file, it tries to connect to the C2 server (185.215.113.121:15386). RedLine sends a package of system details to the C2, such as Windows username, serial number, list of installed software/running processes, active language, a screenshot, and time zone.
  • The unpacking of the malware is a six-stage process, including runtime decryptions, decompressions, key retrievals, and assembly. 
  • The communication uses an encrypted non-HTTP channel and the first request involves authorization. The second request gets a response in the list of settings to determine actions that need to be performed.
  • Subsequently, RedLine collects data according to those settings, targeting various software such as FTP clients, VPNs, Discord, Telegram, Steam, cryptocurrency wallets/plugins, and web browsers, including Chrome, Opera, and Firefox.

Conclusion

It seems the infamous RIG EK is now making a comeback by incorporating a vulnerability in IE. Thus, ensure that anti-virus and EDR solutions possess exploit detection capabilities. Further, use IOCs and keep operating systems and third-party applications updated and apply security fixes.
Cyware Publisher

Publisher

Cyware