Beware of Fake RedLine Stealer That Distributed As Fake Omicron Stats Counter

The latest version of the RedLine info-stealer is roaming in the wild, and this time it was distributed as a fake COVID-19 Omicron Stats Counter app by threat actors through emails with a malicious attachment.

For a couple of hundred USD, the threat actors sold the RedLine malware on dark web markets since it is a widespread commodity. However, this time, in this event, it is distributed through email that contains a fake Omicron stat counter app download link.

The continuous development of this malware clearly depicts that the operators and developers of this malware are very active, and not only that even they are also actively improving this malware with the following addons and abilities:-

  • Widespread deployments
  • Multiple distribution methods

Malware Profile

  • Malware: RedLine info-stealer
  • Affected Platforms: Windows
  • Impacted Users: Windows users
  • Impact: Various data including confidential information on the compromised machine will be stolen.
  • Severity Level: Medium

The cybersecurity researchers at Fortnite’s FortiGuard Labs has detected that this new variant of RedLine info-stealer targeted the user account credentials stored on the:-

  • Browser
  • VPN passwords
  • Credit card details
  • Cookies
  • IM content
  • FTP credentials
  • Cryptocurrency wallet data
  • Operating system
  • System information
  • Graphics card name
  • BIOS manufacturer
  • Identification code
  • Serial number
  • Release date
  • Version
  • Disk drive manufacturer
  • Model
  • Total heads
  • Signature
  • Processor (CPU)
  • CPU Unique ID
  • CPU Processor ID
  • CPU manufacturer
  • CPU name
  • Max clock speed
  • Motherboard information
  • IP
  • Country
  • City
  • Current user name
  • Hardware ID
  • UAC settings
  • User-Agent
  • Installed antivirus solution
  • Data/Files
  • Keyboard layouts
  • Screenshot
  • Screen resolution

The attackers steal all these data through the fake Omicron Stats counter app, and the malicious app starts its task once the “Omicron Stats.exe” file get executed by the victim.

Here, the “Omicron Stats.exe” package contains several payloads and the malware itself which was pushed into vbc.exe after getting executed. While apps that are targeted by this new variant of the RedLine info-stealer:-

  • Opera GX web browser
  • OpenVPN
  • ProtonVPN
  • Discord

But, why Discord? Since Discord resources are quite crucial so, they also analyze the Discord aggressively to steal:-

  • Discord access tokens
  • Discord logs
  • Discord database files 

In later stages to locate images and conversation histories, the malware searches the Telegram folders, and then sends all the collected data to the C2 server controlled by the threat actors.

Here’s what the report presented by Fortnite states:-

“This variant uses 207[.]32.217.89 as its C2 server through port 14588. This IP is owned by 1gservers. Over the course of the few weeks after this variant was released, we noticed one IP address (149[.]154.167.91) in particular communicating with this C2 server.”

Currently, this new variant of RedLine Stealer was already detected across 12 countries, and it has been detected that it does not target any specific organizations or any individuals.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.