Friday, May 24, 2024

RedLine Malware Takes Lead in Hijacking Over 170M+ Passwords in 6 Months

The cybersecurity landscape has been shaken by the discovery that a single piece of malware, known as RedLine, has stolen over 170 million passwords in the past six months.

This alarming statistic has placed RedLine at the forefront of cyber threats, accounting for nearly half of all stolen credentials analyzed during this period.

Darren James, the Senior Product Manager at Specops, commented on the research outcomes, stating:

“It’s quite remarkable that a single strain of malware has been implicated in the theft of almost 50% of the passwords we’ve examined.


Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.:

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

AcuRisQ, that helps you to quantify risk accurately:

Our analysis reveals that Redline malware has emerged as the preferred tool among hackers for password theft, amassing an astonishing 170 million compromised credentials within six months.”

Specopssoft has released a report outlining the most commonly used malware techniques hackers employ to steal user passwords.

most popular credential thieves
most popular credential thieves

Top three password-stealing malware:

Redline: The Premier Password Pilferer

Overview and Discovery
Redline, identified in March 2020, has quickly become a highly favored tool among cybercriminals for its proficiency in extracting personal information.

Its primary objective is to siphon off credentials, cryptocurrency wallets, and financial data and subsequently upload this stolen information to the malware’s command-and-control (C2) infrastructure.

Redline often comes bundled with a cryptocurrency miner, targeting gamers with high-performance GPUs for deployment.

According to a recent tweet by ImmuniWeb, Redline malware has been identified as the primary credential stealer over the past six months.

Distribution Techniques

The malware employs diverse distribution methods, with phishing campaigns taking the lead.

Cybercriminals have adeptly utilized global events, such as the COVID-19 pandemic, as bait to entice unsuspecting individuals into downloading Redline.

From mid-2021, an innovative approach involving YouTube has been observed:

  • Initially, a Google/YouTube account is compromised by the threat actor.
  • The attacker creates various channels or uses existing ones to post videos.
  • These videos, often promoting gaming cheats and cracks, include malicious links in their descriptions, cleverly tied to the video’s theme.
  • Unsuspecting users clicking these links inadvertently download Redline, leading to the theft of their passwords and other sensitive information.

Vidar: The Evolving Threat

Genesis and Operation
Vidar, a sophisticated evolution of the Arkei Stealer, scrutinizes the language settings of infected machines to selectively target or exclude specific countries.

It initializes necessary strings and generates a Mutex for its operation.

Vidar is available in two versions: the original, Vidar Pro, and a cracked version known as Anti-Vidar, distributed through underground forums.

Distribution Channels

In early 2022, Vidar was detected in phishing campaigns disguised as Microsoft Compiled HTML Help (CHM) files.

It has also been distributed via various malware services and loaders, including PrivateLoader, the Fallout Exploit Kit, and the Colibri loader.

By late 2023, the GHOSTPULSE malware loader was observed as a new distribution method for Vidar.

Raccoon Stealer: Malware-as-a-Service

Introduction and Sales Model

Raccoon Stealer, first seen on the cybercriminal market in April 2019, operates on a malware-as-a-service model.

This allows cybercriminals to rent the stealer every month.

It debuted on the prominent Russian-language forum Exploit, boasting the slogan “We steal, You deal!”

Market Presence

The malware has been primarily marketed on Russian-language underground forums, including Exploit and WWH-Club.

In October 2019, it expanded its reach to the English-speaking segment of the cybercriminal underworld via Hack Forums.

The promoters of Raccoon Stealer occasionally offer “test weeks,” suggesting that potential customers can try the product before making a purchase.

The research underscores the risks associated with password reuse, a familiar yet dangerous practice.

Even with robust password policies, reused passwords can be compromised on insecure sites and devices, posing a significant threat to organizational security.

Studies by Bitwarden and LastPass have highlighted the prevalence of password reuse despite widespread awareness of its risks.

With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.


Latest articles

Hackers Weaponizing Microsoft Access Documents To Execute Malicious Program

In multiple aggressive phishing attempts, the financially motivated organization UAC-0006 heavily targeted Ukraine, utilizing...

Microsoft Warns Of Storm-0539’s Aggressive Gift Card Theft

Gift cards are attractive to hackers since they provide quick monetization for stolen data...

Kinsing Malware Attacking Apache Tomcat Server With Vulnerabilities

The scalability and flexibility of cloud platforms recently boosted the emerging trend of cryptomining...

NSA Releases Guidance On Zero Trust Maturity To Secure Application From Attackers

Zero Trust Maturity measures the extent to which an organization has adopted and implemented...

Chinese Hackers Stay Hidden On Military And Government Networks For Six Years

Hackers target military and government networks for varied reasons, primarily related to spying, which...

DNSBomb : A New DoS Attack That Exploits DNS Queries

A new practical and powerful Denial of service attack has been discovered that exploits...

Malicious PyPI & NPM Packages Attacking MacOS Users

Cybersecurity researchers have identified a series of malicious software packages targeting MacOS users.These...
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles