Get in Touch
As payloads are delivered from a trojan contained within malicious Google adverts, targeting is indiscriminate and opportunistic.
Malicious artificial intelligence (AI) tool advertisements have emerged as a highly effective method for threat actors to distribute the Redline Stealer malware. These malicious advertisements apply social engineering techniques to trick unsuspecting users into clicking and downloading the malicious file. The primary objective of these advertisements is to deliver the Redline Stealer malware to the victim’s system. This enables the theft of sensitive information and compromises the security of the individual or organisation.
Originally discovered in March 2020, Redline Stealer can gather login information from online browsers, cryptocurrency wallets, and applications using the Redline Stealer info stealer variants customised file grabber.
Data Theft: Once Redline Stealer infiltrates a system, it gathers confidential data including login data, financial information, and personal details. This stolen information can be sold on the dark web, used for financial crime, corporate espionage, or identity theft.
System Compromise: Due to its modular design, Redline Stealer can download and execute additional malware variants which compromises the infected system. This may lead to botnet creation, ransomware attacks, or unauthorised access.
- Various operating systems (Windows, macOS and Linux)
- Web browsers (Google Chrome, Mozilla Firefox, Microsoft Edge, and Safari)
- Email clients (Microsoft Outlook and Mozilla Thunderbird)
- Database systems (MySQL, Microsoft SQL Server, or Oracle Database)
- Office suites
- Financial software
- Gaming platforms
- Cloud services
Containment, Mitigations & Remediations
It is recommended that upon the detection of compromised credentials, customers act in a prompt manner and issue password changes to affected users. If password changes cannot be implemented or the account is no longer in active use, it is recommended that the account is added to the ‘deny list’ so that it cannot be targeted in further attack campaigns. Moreover, the enforcement of multi-factor authentication (MFA) is strongly recommended, as this can prevent adverse system access, even when credentials have been compromised.
Threat intelligence has also detected a lack of strong password security and the use of basic, easy-to-crack passwords by several industry sector employees, an example being that of ‘password1’. It is strongly recommended that customers follow the National Cyber Security Centre (NCSC) guidance of having passwords composed of three unrelated words and the incorporation of uppercase, lowercase, and symbol characters.
The following list contains a summary of the recommended mitigation steps to adhere to as a defence strategy against exploitation by Redline Stealer:
- Use strict password management and least privilege access policies
- Implement multi-factor authentication
- Rotate all user passwords on a frequent basis (e.g. every 90 days)
- Ensure that employees are trained to identify and report malicious content
- Use application whitelisting to prevent the download of malicious content
- Ensure that anti-virus signatures are up to date
- Identify which systems, applications, and data lakes are mission-critical to your business and day-to-day operations
- Implement frequent backups of crucial files and isolate them from local and open networks Maintain offline backup copies of data stored in locations inaccessible from infected systems
- Promptly patch software and applications and maintain awareness with regards to vulnerability advisories
- Implement and practice a digital disaster recovery plan.
Indicators of Compromise
The following list of Indicators of Compromise (IoCs) relates to the distribution of the malware via malicious AI advertisement.
Redline Stealer associated file hashes (SHA256):
Redline Stealer associated URLs:
Typical motives for the implementation of information stealer malware, such as Redline, include the generation of financial income for the associated cyber threat actors. It is common for such malware variants to operate in the background of a target system to avoid detection.
In recent years, information stealing malware have become prevalent infection vectors. More specifically, Redline is a ‘Commodity’ information stealer and, as such, data harvested by these malware variants are often sold within the illicit marketplace, whereby threat actors have the opportunity to purchase them. The acquisition of the credentials by threat actors will ultimately lead to further targeting, inevitably resulting in the implementation of additional attack vectors, such as ransomware.
A diverse range of cyber threat actors have adopted the use of the Redline Stealer malware. It has been detected to have been marketed and sold on several online criminal forums by a Russian-speaking cybercriminal by the name of “REDGlade”, also known as, “Glade”.
T1053 – Scheduled Task/Job3
T1053.005 – Scheduled Task4
T1059 – Command and Scripting Interpreter5
T1059.001 – PowerShell6
T1106 – Native API7
T1129 – Shared Modules8
T1031 – Modify Existing Service9
T1053 – Scheduled Task/Job10
T1053.005 – Scheduled Task11
T1060 – Registry Run Keys / Startup Folder12
T1031 – Modify Existing Service13
T1053 – Scheduled Task/Job14
T1053.005 – Scheduled Task15
T1060 – Registry Run Keys / Startup Folder16
T1070 – Indicator Removal17
T1089 – Disabling Security Tools18
T1112 – Modify Registry19
T1081 – Credentials in Files20
T1012 – Query Registry21
T1057 – Process Discovery22
T1082 – System Information Discovery23
T1005 – Data from Local System24
Command and Control
T1071 – Application Layer Protocol25
T1071.001 – Web Protocols26