Wednesday, December 11, 2024
HomeCyber CrimeRedLine Malware Weaponizing Pirated Corporate Softwares To Steal Logins

RedLine Malware Weaponizing Pirated Corporate Softwares To Steal Logins

Published on

SIEM as a Service

Attackers are distributing a malicious .NET-based HPDxLIB activator disguised as a new version, which is signed with a self-signed certificate, and targets entrepreneurs automating business processes and aims to compromise their systems.

They are distributing malicious activators on forums targeting business owners and accountants, deceptively promoting them as legitimate license bypass tools with update functionality while concealing a hidden malicious payload.

HPDxLIB assembly, a component of pirated software, is flagged by security software as potentially containing the RedLine stealer.

- Advertisement - SIEM as a Service

Despite warnings, users are still instructed to disable security measures to run the software, increasing their risk of malware infection.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

Pirated Corporate Softwares Weaponized
Pirated Corporate Softwares Weaponized

By distributing a malicious dynamic library disguised as a legitimate one, they deceive users into replacing the file that was originally installed. 

When the patched software is launched, the malicious library is loaded by the legitimate process, leading to the execution of a stealer that exploits user trust rather than software vulnerabilities.

The malicious techsys.dll contains a resource, loader.hpdx.dll (or its compressed version, loader.hz), which is heavily obfuscated and, despite being difficult to analyze statically, contains a large suspicious data block, indicating potential malicious activity.

The byte sequence is an encrypted payload, likely containing the RedLine stealer, which is structured as an `EncryptedContainer`, with fields for a magic byte, XOR key, big-endian and little-endian size indicators, encrypted data, and end bytes, used to initialize a variable within the library’s code.

Sequence of byte

Data is initially XOR-encrypted with a fixed key, then Base85-encoded, and the resulting data is further encrypted using AES-256 in CBC mode, requiring additional key information for complete decryption.

The obfuscated library employs XOR encryption with fixed keys to conceal the AES-256-CBC cryptographic parameters, namely the key and initialization vector (IV), which, when decrypted, are revealed as “Tk[HGC-uBbtW8@F>_dyneANrJ<x$5.K*” and “brTY4wtE_”(9hsC)U&{eF:?q>;VLz/x@”, respectively.

According to Secure List, a library decodes a Base85 string, decrypts it with AES-256-CBC using SHA-512-derived keys and IVs, decompresses the resulting data with Deflate, and finally loads the unpacked RedLine stealer using Assembly.Load(). 

Loader.hpdx.dll and loader.hz

The RedLine malware-as-a-service platform, utilizing a shared command-and-control server (213.21.220[.]222:8080), enables various threat actors to distribute and monetize the stealer, potentially through subscription-based access. 

Cybercriminals are targeting Russian-speaking entrepreneurs with a sophisticated, paid stealer implant, RedLine, to bypass software license checks and gain unauthorized access to sensitive business data. 

The use of pirated software and activators exposes organizations to data theft and cyberattacks, potentially leading to data breaches, extortion attempts, and reputational damage. 

Businesses should prioritize licensed software when it comes to protecting their sensitive information and ensuring the security of their operations.

Investigate Real-World Malicious Links,Malware & Phishing Attacks With ANY.RUN - Try for Free

Latest articles

Resecurity introduces Government Security Operations Center (GSOC) at NATO Edge 2024

Resecurity, a global leader in cybersecurity solutions, unveiled its advanced Government Security Operations Center...

Reserachers Uncovered Zloader DNS Tunneling Tactics For Stealthy C2 Communication

Zloader, a sophisticated Trojan, has recently evolved with features that enhance its stealth and...

US Charged Chinese Hackers for Exploiting Thousands of Firewall

The US Treasury Department's Office of Foreign Assets Control (OFAC) has sanctioned Sichuan Silence...

DMD Diamond Launches Open Beta for v4 Blockchain Ahead of 2025 Mainnet

DMD Diamond - one of the oldest blockchain projects in the space has announced the...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Reserachers Uncovered Zloader DNS Tunneling Tactics For Stealthy C2 Communication

Zloader, a sophisticated Trojan, has recently evolved with features that enhance its stealth and...

US Charged Chinese Hackers for Exploiting Thousands of Firewall

The US Treasury Department's Office of Foreign Assets Control (OFAC) has sanctioned Sichuan Silence...

DMD Diamond Launches Open Beta for v4 Blockchain Ahead of 2025 Mainnet

DMD Diamond - one of the oldest blockchain projects in the space has announced the...