Security researchers are warning of a currently ongoing campaign that uses phishing to spread stealer malware that is able to snag passwords and empty crypto wallets.
The campaign picked up in volume in early April 2022. The security team monitoring the alerts related to the current campaign is warning that the threat actor spreading the mass-volume phishing emails uses them to deliver the RedLine stealer malware.
What is the RedLine stealer malware?
RedLine is a malicious tool sold by its authors using the increasingly popular malware-as-a-service scheme, where the authors lease out their malicious tools to any budding hacker for a fee. In the case of the RedLine stealer malware, that fee is pretty modest. Against the sum of $150 any hopeful young cybercriminal can make use of the malware's capabilities. The malicious tool is also offered against a one-time lifetime subscription payment of $800.
The current phishing campaign uses simple lures, with an attachment contained in the malicious email. Once the attachment is downloaded and executed, the malware installs and gets to work.
A heatmap of the territories hit hardest in the campaign shows that the main targets of the hackers have been Germany, Brazil and the US, with China and Egypt trailing close behind.
What can RedLine do?
The RedLine stealer malware abuses a vulnerability logged as CVE-2021-26411. This is a relatively old memory corruption vulnerability in Internet Explorer, which was fixed back in 2021. Thankfully, this narrows down the list of possible victims considerably.
RedLine stealer, once deployed, can scrape passwords, cookies and payment details stored in browsers. The malware can also exfiltrate chat logs, VPN login credentials and crypto wallet strings.
The fact that malware targeting systems running software that is lacking essential patches issued months ago shows that the overall maintenance and patching habits of both home users and organizations are still not up to par.
Even regular home users should keep every auto-updater option in all their software turned on, and manually check for updates for software that doesn't have that functionality every couple of weeks.