Redline Stealer Targeting Accounts Saved to Web Browser with Automatic Login Feature Included

While investigating a recent breach case of the internal network of a certain company, AhnLab ASEC analysis team has confirmed that the VPN account used to access the company network was leaked from the PC of a certain employee who was working from home.

The company where the damage occurred provided VPN service to employees who were working from home to give access to the company’s internal network, and the employees connected to the VPN on the provided laptops or their PCs. The targeted employee used the password management feature provided by the web browser to save and use the account and password for the VPN site on the web browser. While doing so, the PC was infected with malware targeting account credentials, leaking accounts and passwords of various sites, which also included the VPN account of the company.

The leaked VPN account was used to hack the company’s internal network three months later. 

Password Management Feature of Web Browsers 

For user convenience, web browsers store the account and password entered into the login form when the user visits a website and provide the feature to enter them automatically upon revisiting. The password management feature is enabled by default on Chromium-based web browsers (Edge, Chrome).

Figure. Chrome pop-up suggesting to save password

The information entered when logging in is saved to the Login Data file via the password management feature.

Web BrowserFile Path
ChromeC:\Users\<User name>\AppData\Local\Google\Chrome\User Data\Default\Login Data
EdgeC:\Users\<User name>\AppData\Local\MicrosoftEdge\User\Default\Login Data
OperaC:\Users\<User name>\AppData\Roaming\Opera Software\Opera Stable\Login Data
WhaleC:\Users\<User name>\AppData\Local\Naver\Naver Whale\User Data\Default\Login Data
Table. Login Data path of Chromium-based web browsers

Login Data is an SQLite database file, and the account and password information are saved to the logins table. In addition to accounts and passwords, the time saved, URL of the login site, and the number of times of access is saved to the logins table.

If the user refuses to save account and password information of a site, in order to remember this, the blacklisted_by_user field will be set as 1, the username_value and password_value fields will not have accounts or passwords, and only the origin_url information is saved to the logins table.

Figure. logins table of Login Data

Figure. Example of data saved to logins table

Leaking Account Credentials

It was discovered that the targeted employee’s PC was used by the whole family at home and was not safely managed. It was already infected with various malware since long ago, and although an anti-malware program of another company had been installed, it had failed to properly detect and repair.

Among the infected malware was Redline Stealer-type malware. Redline Stealer is an infostealer that collects account credentials saved to web browsers, which first appeared on the Russian dark web in March 2020. A user under the name of REDGlade uploaded a promotional post explaining the various features included in Redline Stealer and selling the hacking tool for $150-$200.

Figure.  Redline Stealer Telegram page

As Redline Stealer was sold to unspecified individuals indiscriminately on the dark web, it is hard to relate the developer of the malware to the attacker directly. Apart from the malware, credentials that were leaked using Redline Stealer were also being sold on the dark web.

Redline Stealer first appeared in March 2020, and phishing emails abusing the issue of COVID-19 were used. It is known that the malware was then distributed in various methods such as phishing emails, abusing of Google advertisements, and disguising as a photo editing program.

In this case, Redline Stealer was distributed online disguised as a crack program of Soundshifter, a pitch-shifting program from Waves. The user entered the name of the software with crack, free, etc. to search the file, downloaded it, and ran the downloaded file, which led to the infection by the malicious file.

Figure. Search history for “waves soundshifter crack” on Google

The main features of Redline Stealer are as follows:

Main FeaturesDescription
Collecting Information– Collecting and stealing information saved to browsers
– Login account and password
– Cookies
– Autofill
– Credit card information
– Browsers targeted for attack
– All Chromium-based browsers
– All Gecko-based browsers
– Cryptocurrency wallet information
– Seed file saved to the system
Collecting System Info– Collecting default system info such as the IP address of system and OS info
– Collecting hardware information such as the processor of the system, memory size, and GPU
– Collecting information of browsers and software installed in the system
– Collecting processes and anti-malware programs installed
C&C– Controlling target system via SOAP protocol communication
– Uploading and downloading files
– Accessing arbitrary URL and running files
Table. Main features of Redline Stealer

Although the account credentials storing feature of browsers is very convenient, as there is a risk of leakage of account credentials upon malware infection, users are recommended to refrain from using it and only use programs from clear sources. 

[IOC Info]

Traces of what is judged to be Redline Stealer were discovered in the breached system, and the Hash of the malware could not be obtained as the malicious files have been deleted. 

  • cio.exe.com
  • orrore.exe.com
  • certe.exe.com
  • 18.188.253.6

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

[Relevant Blog Post]

Various Types of Threats Disguised as Software Download Being Distributed

The post Redline Stealer Targeting Accounts Saved to Web Browser with Automatic Login Feature Included appeared first on ASEC BLOG.

Article Link: Redline Stealer Targeting Accounts Saved to Web Browser with Automatic Login Feature Included - ASEC BLOG