New Qualys Research Report: Inside a Redline InfoStealer Campaign

Akshat Pradhan

The Qualys Threat Research Team continues its efforts to identify and document previously unseen adversary activity to better understand their tactics, techniques, and procedures (TTPs) and defend against them.  

Recently we identified a new Redline InfoStealer campaign that spreads via fake cracked software hosted on Discord’s content delivery network. The campaign was actively observed from the end of January to March 2022 and utilized commercial malware families. Redline has become one of the most widely used infostealers due to its wide range of capabilities and the thriving underground Malware-as-a-Service market.  

In this free report, we dissect the entire campaign in-depth. What’s more, we give readers a peek into the shadowy but structured MaaS market. Adversaries have continued their usage of legitimate services to host their payloads and defenders need to account for it.  

The use of commercial malware makes attribution to any specific threat actor particularly difficult due to overlap in indicators of compromise (IOCs) and TTPs. However, it was clear that the main objective of this campaign was to acquire Redline logs for monetary gain.  

This complementary paper includes tons of screenshots that examine the complexity and replicability of the overall flow, so readers know exactly how the attackers do it. 

Download your copy of the report now to learn about our key research findings: 

  • Zip archives with fake cracked software that ultimately deployed Redline 
  • URL shorteners and fake sites that redirected victims to zip archives hosted on Discord’s content delivery network 
  • Archive contained simple loaders for PureCrypter with a hijacked certificate from Exodus Movement Inc. 
  • PureCrypter injection module was used to deploy Redline InfoStealer 

Get your copy of this new Qualys Threat Research Report now. No registration required. 

Share your Comments

Comments

Your email address will not be published. Required fields are marked *