Malicious AI tool ads used to deliver Redline Stealer

Target Industry

As payloads are delivered from a trojan contained within malicious Google adverts, targeting is indiscriminate and opportunistic.

Overview

Malicious artificial intelligence (AI) tool advertisements have emerged as a highly effective method for threat actors to distribute the Redline Stealer malware. These malicious advertisements apply social engineering techniques to trick unsuspecting users into clicking and downloading the malicious file. The primary objective of these advertisements is to deliver the Redline Stealer malware to the victim’s system. This enables the theft of sensitive information and compromises the security of the individual or organisation.

Originally discovered in March 2020, Redline Stealer can gather login information from online browsers, cryptocurrency wallets, and applications using the Redline Stealer info stealer variants customised file grabber.

Impact

Data Theft: Once Redline Stealer infiltrates a system, it gathers confidential data including login data, financial information, and personal details. This stolen information can be sold on the dark web, used for financial crime, corporate espionage, or identity theft.

System Compromise: Due to its modular design, Redline Stealer can download and execute additional malware variants which compromises the infected system. This may lead to botnet creation, ransomware attacks, or unauthorised access.

Affected Products

• Various operating systems (Windows, macOS and Linux)
• Web browsers (Google Chrome, Mozilla Firefox, Microsoft Edge, and Safari)
• Email clients (Microsoft Outlook and Mozilla Thunderbird)
• Database systems (MySQL, Microsoft SQL Server, or Oracle Database)
• Office suites
• Financial software
• Gaming platforms
• Cloud services

Containment, Mitigations & Remediations

It is recommended that upon the detection of compromised credentials, customers act in a prompt manner and issue password changes to affected users. If password changes cannot be implemented or the account is no longer in active use, it is recommended that the account is added to the ‘deny list’ so that it cannot be targeted in further attack campaigns. Moreover, the enforcement of multi-factor authentication (MFA) is strongly recommended, as this can prevent adverse system access, even when credentials have been compromised.

Threat intelligence has also detected a lack of strong password security and the use of basic, easy-to-crack passwords by several industry sector employees, an example being that of ‘password1’. It is strongly recommended that customers follow the National Cyber Security Centre (NCSC) guidance of having passwords composed of three unrelated words and the incorporation of uppercase, lowercase, and symbol characters.

The following list contains a summary of the recommended mitigation steps to adhere to as a defence strategy against exploitation by Redline Stealer:

• Use strict password management and least privilege access policies
• Implement multi-factor authentication
• Rotate all user passwords on a frequent basis (e.g. every 90 days)
• Ensure that employees are trained to identify and report malicious content
• Use application whitelisting to prevent the download of malicious content
• Ensure that anti-virus signatures are up to date
• Identify which systems, applications, and data lakes are mission-critical to your business and day-to-day operations
• Implement frequent backups of crucial files and isolate them from local and open networks Maintain offline backup copies of data stored in locations inaccessible from infected systems
• Promptly patch software and applications and maintain awareness with regards to vulnerability advisories
• Implement and practice a digital disaster recovery plan.

Indicators of Compromise

The following list of Indicators of Compromise (IoCs) relates to the distribution of the malware via malicious AI advertisement.

Redline Stealer associated file hashes (SHA256):

903ec040156e7a33d93a518777077fa8e6a85bfad6b9dad522037e89b80d058b

57fd28483d311e212f9d278a576438b9c36035d54662e63a81afaa26fea8db43

06aa2b8815e5862768ae71fbcbe5830da4985cf16d8574d73c870d1bf7d2a88a

7cb2a612a1228558f187b19bbc6802b4e07a196c838f1f4cac9fa13da2bbb86f

36d5395c756522613712c91c897018f0ecbf5d6db739aa1550776c5ad507d867

a2e4f61880a28b37fa0e36c799485b848a017f47fd5cf3e56b1681039fdca342

Redline Stealer associated URLs:

hxxps[://]adv-pardorudy[.]ru/

hxxps[://]get-mldjourney[.]shop

hxxps[://]dall-e[.]click

hxxp[://]mid-journey[.]org/

hxxps[://]get-mldjourney[.]site

hxxps[://]openai-chatgpt[.]xyz

hxxps[://]get-chatgpt[.]xyz

hxxp[://]advert-job[.]ru/

hxxps[://]adv-frank[.]xyz

hxxps[://]chatg-pt[.]net

hxxps[://]openal-chatgpt[.]top

hxxps[://]get-chatgpt[.]shop

hxxps[://]openaijobs[.]ru

Threat Landscape

Typical motives for the implementation of information stealer malware, such as Redline, include the generation of financial income for the associated cyber threat actors. It is common for such malware variants to operate in the background of a target system to avoid detection.

In recent years, information stealing malware have become prevalent infection vectors. More specifically, Redline is a ‘Commodity’ information stealer and, as such, data harvested by these malware variants are often sold within the illicit marketplace, whereby threat actors have the opportunity to purchase them. The acquisition of the credentials by threat actors will ultimately lead to further targeting, inevitably resulting in the implementation of additional attack vectors, such as ransomware.

Threat Group

A diverse range of cyber threat actors have adopted the use of the Redline Stealer malware. It has been detected to have been marketed and sold on several online criminal forums by a Russian-speaking cybercriminal by the name of “REDGlade”, also known as, “Glade”.

Mitre Methodologies

Execution

T1053 – Scheduled Task/Job3

T1053.005 – Scheduled Task4

T1059 – Command and Scripting Interpreter5

T1059.001 – PowerShell6

T1106 – Native API7

T1129 – Shared Modules8

Persistence

T1031 – Modify Existing Service9

T1053 – Scheduled Task/Job10

T1053.005 – Scheduled Task11

T1060 – Registry Run Keys / Startup Folder12

Privilege Escalation

T1031 – Modify Existing Service13

T1053 – Scheduled Task/Job14

T1053.005 – Scheduled Task15

T1060 – Registry Run Keys / Startup Folder16

Defence Evasion

T1070 – Indicator Removal17

T1089 – Disabling Security Tools18

T1112 – Modify Registry19

Credential Access

T1081 – Credentials in Files20

Discovery

T1012 – Query Registry21

T1057 – Process Discovery22

T1082 – System Information Discovery23

T1005 – Data from Local System24

Command and Control

T1071 – Application Layer Protocol25

T1071.001 – Web Protocols26

Further Information

Malicious AI Tool Ads Used to Deliver Redline Stealer (trendmicro.com)

CyberGate, RedLine Part of AutoIt Malware Campaign| Zscaler