RedLine Malware Takes Lead in Hijacking Over 170M+ Passwords in 6 Months

The cybersecurity landscape has been shaken by the discovery that a single piece of malware, known as RedLine, has stolen over 170 million passwords in the past six months.

This alarming statistic has placed RedLine at the forefront of cyber threats, accounting for nearly half of all stolen credentials analyzed during this period.

Darren James, the Senior Product Manager at Specops, commented on the research outcomes, stating:

“It’s quite remarkable that a single strain of malware has been implicated in the theft of almost 50% of the passwords we’ve examined.

Specopssoft has released a report outlining the most commonly used malware techniques hackers employ to steal user passwords.

Most Popular Credential Thieves Among Hackers:

Top three password-stealing malware:

Redline: The Premier Password Pilferer

Overview and Discovery
Redline, identified in March 2020, has quickly become a highly favored tool among cybercriminals for its proficiency in extracting personal information.

Its primary objective is to siphon off credentials, cryptocurrency wallets, and financial data and subsequently upload this stolen information to the malware’s command-and-control (C2) infrastructure.

Redline often comes bundled with a cryptocurrency miner, targeting gamers with high-performance GPUs for deployment.

According to a recent tweet by ImmuniWeb, Redline malware has been identified as the primary credential stealer over the past six months.

Distribution Techniques

The malware employs diverse distribution methods, with phishing campaigns taking the lead.

Cybercriminals have adeptly utilized global events, such as the COVID-19 pandemic, as bait to entice unsuspecting individuals into downloading Redline.

From mid-2021, an innovative approach involving YouTube has been observed:

• Initially, a Google/YouTube account is compromised by the threat actor.
• The attacker creates various channels or uses existing ones to post videos.
• These videos, often promoting gaming cheats and cracks, include malicious links in their descriptions, cleverly tied to the video’s theme.
• Unsuspecting users clicking these links inadvertently download Redline, leading to the theft of their passwords and other sensitive information.

Vidar: The Evolving Threat

Genesis and Operation
Vidar, a sophisticated evolution of the Arkei Stealer, scrutinizes the language settings of infected machines to selectively target or exclude specific countries.

It initializes necessary strings and generates a Mutex for its operation.

Vidar is available in two versions: the original, Vidar Pro, and a cracked version known as Anti-Vidar, distributed through underground forums.

Distribution Channels

In early 2022, Vidar was detected in phishing campaigns disguised as Microsoft Compiled HTML Help (CHM) files.

It has also been distributed via various malware services and loaders, including PrivateLoader, the Fallout Exploit Kit, and the Colibri loader.

By late 2023, the GHOSTPULSE malware loader was observed as a new distribution method for Vidar.

Raccoon Stealer: Malware-as-a-Service

Introduction and Sales Model

Raccoon Stealer, first seen on the cybercriminal market in April 2019, operates on a malware-as-a-service model.

This allows cybercriminals to rent the stealer every month.

It debuted on the prominent Russian-language forum Exploit, boasting the slogan “We steal, You deal!”

Market Presence

The malware has been primarily marketed on Russian-language underground forums, including Exploit and WWH-Club.

In October 2019, it expanded its reach to the English-speaking segment of the cybercriminal underworld via Hack Forums.

The promoters of Raccoon Stealer occasionally offer “test weeks,” suggesting that potential customers can try the product before making a purchase.

The research underscores the risks associated with password reuse, a familiar yet dangerous practice.

Even with robust password policies, reused passwords can be compromised on insecure sites and devices, posing a significant threat to organizational security.

Studies by Bitwarden and LastPass have highlighted the prevalence of password reuse despite widespread awareness of its risks.

With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.