Threat analysts have uncovered yet a new campaign that uses the RIG Exploit Kit to deliver the RedLine stealer malware.
Exploit kits (EKs) have dropped drastically in popularity as they targeted vulnerabilities in web browsers introduced by plug-in software such as the now-defunct Flash Player and Microsoft Sillverlight.
As web browsers grew more secure and introduced automatic updates for all their components or replaced them with modern standards, the use of EKs to distribute malware has declined to the point that they are a rare encounter these days.
However, as there are still users running browsers without the latest security updates, Internet Explorer in particular, EKs have not completely run out of targets.
The threat actors use the exploit to compromise the machine and deploy RedLine, a cheap but powerful info-stealing malware widely circulated on Russian-speaking forums.
From there, the adversaries exfiltrate sensitive user details such as cryptocurrency wallet keys, credit card details, and account credentials stored on web browsers.
RIG Exploit’s new tricks
As the name implies, the RIG EK includes a set of exploits to automate network intrusion by performing the required shellcode execution on the target.
It has been used extensively in numerous campaigns since 2016. Its popularity culminated in 2018 and in 2019 to deploy various malware, including ransomware like Nemty, Sodinokibi/REvil, Buran, and Eris.
Today, RIG Exploit has lost its prestigious status but some threat actors still find it useful to deliver malware, as was the case last year, when it dropped WastedLoader malware.
The recent campaign was discovered by researchers at Bitdefender, who found that RIG EK incorporates CVE-2021-26411 to initiate an infection process that smuggles a copy of RedLine stealer on the target in packed form.
The unpacking of the RedLine stealer is a six-stage process consisting of decompressions, key retrievals, runtime decryptions, and assembly actions. The resulting DLL files never touch disk memory to evade AV detection.
Once RedLine has taken form on the compromised machine as an obfuscated .NET executable, it attempts to connect to the C2 server, in this campaign, 188.8.131.52 via port 15386.
The communication uses an encrypted non-HTTP channel, while the first request also involves authorization. The second request is answered by a list of settings that determine what actions will be performed on the host.
After that, RedLine begins collecting data according to those settings, targeting an extensive set of software like web browsers, VPNs, FTP clients, Discord, Telegram, Steam, and cryptocurrency wallets/plugins.
Moreover, RedLine sends a package of system information to the C2, including the Windows username and serial number, a list of installed software, a list of running processes, time zone, active language, and a screenshot.
The variety in RedLine’s distribution stems from the fact that it’s in the hands of so many threat actors, each having its own approach.
While these methods require user action and target a wider audience, the addition of the RIG Exploit Kit automates the infection process but limits the victim set to those that still run a vulnerable version of Internet Explorer.