New RedLine malware version distributed as fake Omicron stat counter

Experts warn of a new variant of the RedLine malware that is distributed via emails as fake COVID-19 Omicron stat counter app as a lure.

Fortinet researchers have spotted a new version of the RedLine info-stealer that is spreading via emails using a fake COVID-19 Omicron stat counter app as a lure.

The RedLine malware allows operators to steal several information, including credentials, credit card data, cookies, autocomplete information stored in browsers, cryptocurrency wallets, credentials stored in VPN clients and FTP clients. The malicious code can also act as a first-stage malware.

Stolen data are stored in an archive (logs) before being uploaded to a server under the control of the attackers.

The new variant discovered by Fortinet has the file name “Omicron Stats.exe,” threat actors are attempting to exploit the enormous interest on a global scale on the COVID-19 Omicron variant.

According to FortiGuard Labs, potential victims of this RedLine Stealer variant are located in at least 12 countries, a circumstance that suggests attackers did not target specific organizations or individuals.

Like other COVID-19 themed malspam campaigns, the infection chain starts by opening a weaponized document used as an attachment.

Upon executing the Omicron Stats.exe, it unpacks resources encrypted with triple DES using ciphermode ECB and padding mode PKCS7. Then the unpacked resources are injected into vbc.exe and a scheduled task is created to establish persistence.

The new variant implements several new features, it is able to steal more information from the victim’s Windows Management Instrumentation (WMI) such as:

• Graphics card name
• BIOS manufacturer, identification code, serial number, release date and version
• Disk drive manufacturer, model, total heads and signature
• Processor (CPU) information like unique ID, processor ID, manufacturer, name, max clock speed and motherboard information

The new RedLine variant searches for the following strings to locate relevant folders for data exfiltration:

• wallet.dat (information related to cryptocurrency)
• wallet (information related to cryptocurrency)
• Login Data
• Web Data
• Cookies
• Opera GX Stable
• Opera GX

The malware also looks for Telegram folders to locate images and conversation histories to steal, it also focuses on Tokens.txt which is used for Discord access.

This variant uses 207[.]32.217.89 as its C2 server through port 14588.

“This IP is owned by 1gservers. Over the course of the few weeks after this variant was released, we noticed one IP address in particular communicating with this C2 server.” states the report published by Fortinet. “Some telemetry data is shown below.

IP Address	Start Time	End Time
149.154.167.91	2021-11-26 04:34:54	2021-11-26 10:05:15
149.154.167.91	2021-12-05 12:06:03	2021-12-05 13:19:35
149.154.167.91	2021-12-09 16:18:46	2021-12-09 20:00:13
149.154.167.91	2021-12-22 18:38:18	2021-12-23 11:33:58

This 149[.]154.167.91 IP address is located in Great Britain and is part of the Telegram Messenger Network. It seems that the C2 server may be controlled by the Redline operators through an abused Telegram messaging service. This conclusion is not a huge leap as the malware author(s) offer both dedicated purchasing and support lines through their respective Telegram groups.”

Experts speculate RedLine Stealer will continue to take advantage of the ongoing COVID pandemic and the stolen information will continue to fuel underground cybercrime marketplaces. 

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, RedLine malware)

[adrotate banner=”5″]

[adrotate banner=”13″]