RedLine Malware Weaponizing Pirated Corporate Softwares To Steal Logins

Attackers are distributing a malicious .NET-based HPDxLIB activator disguised as a new version, which is signed with a self-signed certificate, and targets entrepreneurs automating business processes and aims to compromise their systems.

They are distributing malicious activators on forums targeting business owners and accountants, deceptively promoting them as legitimate license bypass tools with update functionality while concealing a hidden malicious payload.

HPDxLIB assembly, a component of pirated software, is flagged by security software as potentially containing the RedLine stealer.

Despite warnings, users are still instructed to disable security measures to run the software, increasing their risk of malware infection.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

By distributing a malicious dynamic library disguised as a legitimate one, they deceive users into replacing the file that was originally installed. 

When the patched software is launched, the malicious library is loaded by the legitimate process, leading to the execution of a stealer that exploits user trust rather than software vulnerabilities.

The malicious techsys.dll contains a resource, loader.hpdx.dll (or its compressed version, loader.hz), which is heavily obfuscated and, despite being difficult to analyze statically, contains a large suspicious data block, indicating potential malicious activity.

The byte sequence is an encrypted payload, likely containing the RedLine stealer, which is structured as an `EncryptedContainer`, with fields for a magic byte, XOR key, big-endian and little-endian size indicators, encrypted data, and end bytes, used to initialize a variable within the library’s code.

Data is initially XOR-encrypted with a fixed key, then Base85-encoded, and the resulting data is further encrypted using AES-256 in CBC mode, requiring additional key information for complete decryption.

The obfuscated library employs XOR encryption with fixed keys to conceal the AES-256-CBC cryptographic parameters, namely the key and initialization vector (IV), which, when decrypted, are revealed as “Tk[HGC-uBbtW8@F>_dyneANrJ<x$5.K*” and “brTY4wtE_”(9hsC)U&{eF:?q>;VLz/x@”, respectively.

According to Secure List, a library decodes a Base85 string, decrypts it with AES-256-CBC using SHA-512-derived keys and IVs, decompresses the resulting data with Deflate, and finally loads the unpacked RedLine stealer using Assembly.Load(). 

The RedLine malware-as-a-service platform, utilizing a shared command-and-control server (213.21.220[.]222:8080), enables various threat actors to distribute and monetize the stealer, potentially through subscription-based access. 

Cybercriminals are targeting Russian-speaking entrepreneurs with a sophisticated, paid stealer implant, RedLine, to bypass software license checks and gain unauthorized access to sensitive business data. 

The use of pirated software and activators exposes organizations to data theft and cyberattacks, potentially leading to data breaches, extortion attempts, and reputational damage. 

Businesses should prioritize licensed software when it comes to protecting their sensitive information and ensuring the security of their operations.

Investigate Real-World Malicious Links,Malware & Phishing Attacks With ANY.RUN - Try for Free