Malware-as-a-Service: Redline Stealer Variants Demonstrate a Low-Barrier-to-Entry Threat

Analyst Blog Post  Rectangular Note

Multiple New Campaigns in 2023 Demonstrate The Malware Family Has Been Redeveloped to Remain a Popular And Prominent Threat

EclecticIQ analysts observe the malware family targeting financial information to be used for immediate gain as well as reconnaissance functions to perform initial information gathering and establish persistence. RedLine stealer is almost always accompanied by other malware; either preceded by a loader to install it or succeeded by further malware. 

In the last major iteration of RedLine stealer in 2022, variants were almost always configured to rely on exploit kits for infection. At some point in 2022 infections saw a relative break in traffic as developers retooled, but in 2023 the malware has re-emerged as a prominent threat and is now reliant on other malware to act as the loader. [1] Most recently, Trend Micro identified a campaign that leveraged trojanized large-language model software to trick users into installing RedLine. [2]

Campaign variants emerge in VirusTotal starting the last week of April. [3] Samples very likely undergo initial testing in late April. This is supported by evidence from command and control infrastructure, discussed below. A small initial cluster of RedLine peaks approximately mid-July before tapering off significantly by the beginning of August. Sample volume then resumes in higher volume the second week of August.

Article Link: Malware-as-a-Service: Redline Stealer Variants Demonstrate a Low-Barrier-to-Entry Threat