RedLine Malware Weaponizing Pirated Corporate Softwares To Steal Logins

An ongoing RedLine info-stealer effort targets Russian-speaking entrepreneurs using unlicensed corporate software copies to automate business operations.

Attackers were distributing a malicious version of the HPDxLIB activator to business process automation users that contained a RedLine stealer concealed in a unique way.

Reports indicate that the campaign started in January 2024 and is still threatening unlicensed software customers as of this writing.

“Users of unlicensed copies of corporate software for automating business processes faced an attack during which attackers distributed malicious activators on accounting forums”, Kaspersky reports.

“The discovered samples were versions of the well-known HPDxLIB activator, which contained a RedLine stealer hidden in a very unusual way: the activator library was obfuscated with the .NET Reactor, and the malicious code was compressed and encrypted into several layers.”

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

RedLine Information Stealer Weaponizes Pirated Corporate Software

Researchers note that the malicious version of the HPDxLIB activator has been built in .NET and utilizes a self-signed certificate, in contrast to the legitimate C++ version with a valid certificate.

Cybercriminals provide links to malicious activators on forums dedicated to accountancy and company ownership.

In the messages, they go into great detail on how to bypass the license check, focusing on updates while remaining silent about the harmful load.

Once this program started identifying security fixes, some forums started alerting users to the potential existence of RedLine Stealer in the HPDxLIB build. 

Nevertheless, researchers say the program’s instructions still ask you to turn off security and add malicious files to exclusions; without these, pirated activators won’t function.

Warn users about the possible presence of RedLine stealer 

The instructions for the malicious sample urge users to replace the legitimate dynamic library techsys.dll with the one from the activator. “Pure” versions of HPDxLIB also employ this approach.

But in the case of an assembly that is provided by cybercriminals, the legitimate 1cv8.exe process loads the malicious library, which then launches the stealer when a patched version of business software is launched.

“Attackers do not exploit vulnerabilities and do not exploit the corporate software itself in any way — they only abuse the victim’s credulity”, reads the report.

The RedLine stealer is disseminated using the Malware-as-a-Service (MaaS) concept. The malware’s developers provide users the option to purchase a one-time build or sign up for a stealer subscription. 

The RedLine family specializes in stealing confidential data from a designated C&C server, including information from instant messaging apps, browsers, and the compromised system and its users. 

It is obvious that the attackers behind this campaign want to get access to Russian-speaking business owners who automate business procedures with software. The fact that they are targeting corporations rather than individual users appears unique.

The campaign also mainly demonstrates how untrustworthy pirated software and various activators are. Hence, businesses should avoid utilizing fake software to be safe.

IoCs

SFX Archives

5579ca3bc1820615b0af1759d1b78520
4909f24b7221e87b0c903d5b37d69dce
d63579ea9ec4bd2ab01a60d0ce2d2722
1e0063b86665b824f5122b916733b190
91c9aa2291bf147cad94ef73efcb7815
a93d65a55842138faf6516edf1e0c9df

techsys.dll

3460e0257c0bd662e51e8dfdefbbcb56
4bf35488cc7edeec65e9f6f2b5c155cc
c4450d22c842554d10c0ef6c925e2cbe
20f036d7ede6ba59b5cb16a3a81f337c
ce11dfcf2c1817e5911b58e24af316d6
31538e09545f89a26881d9b6158685fe
777fa58b02126c420252a60d4716635f

hpdx.dll

c0dd226564fa98684d10ce5a9f4fb8dd
cbdaa5e11c2522fbbef57acc83014dc6
917af383b32586ba1a8ecb2058f17887

RedLine Payload

e0057ae14461e3b8a78e37ec22be695a
2a81e1ce4db9f25577a86744be60a853

C&C

213.21.220[.]222:8080

Investigate Real-World Malicious Links,Malware & Phishing Attacks With ANY.RUN - Try for Free

Guru Baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.