Experts warn of a new variant of the RedLine malware that is distributed via emails as fake COVID-19 Omicron stat counter app as a lure.
Fortinet researchers have spotted a new version of the RedLine info-stealer that is spreading via emails using a fake COVID-19 Omicron stat counter app as a lure.
The RedLine malware allows operators to steal several information, including credentials, credit card data, cookies, autocomplete information stored in browsers, cryptocurrency wallets, credentials stored in VPN clients and FTP clients. The malicious code can also act as a first-stage malware.
Stolen data are stored in an archive (logs) before being uploaded to a server under the control of the attackers.
The new variant discovered by Fortinet has the file name “Omicron Stats.exe,” threat actors are attempting to exploit the enormous interest on a global scale on the COVID-19 Omicron variant.
According to FortiGuard Labs, potential victims of this RedLine Stealer variant are located in at least 12 countries, a circumstance that suggests attackers did not target specific organizations or individuals.
Like other COVID-19 themed malspam campaigns, the infection chain starts by opening a weaponized document used as an attachment.
Upon executing the Omicron Stats.exe, it unpacks resources encrypted with triple DES using ciphermode ECB and padding mode PKCS7. Then the unpacked resources are injected into vbc.exe and a scheduled task is created to establish persistence.
The new variant implements several new features, it is able to steal more information from the victim’s Windows Management Instrumentation (WMI) such as:
Support the originator by clicking the read the rest link below.