An ongoing RedLine info-stealer effort targets Russian-speaking entrepreneurs using unlicensed corporate software copies to automate business operations.
Attackers were distributing a malicious version of the HPDxLIB activator to business process automation users that contained a RedLine stealer concealed in a unique way.
Reports indicate that the campaign started in January 2024 and is still threatening unlicensed software customers as of this writing.
“Users of unlicensed copies of corporate software for automating business processes faced an attack during which attackers distributed malicious activators on accounting forums”, Kaspersky reports.
“The discovered samples were versions of the well-known HPDxLIB activator, which contained a RedLine stealer hidden in a very unusual way: the activator library was obfuscated with the .NET Reactor, and the malicious code was compressed and encrypted into several layers.”
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar
RedLine Information Stealer Weaponizes Pirated Corporate Software
Researchers note that the malicious version of the HPDxLIB activator has been built in .NET and utilizes a self-signed certificate, in contrast to the legitimate C++ version with a valid certificate.
Cybercriminals provide links to malicious activators on forums dedicated to accountancy and company ownership.
In the messages, they go into great detail on how to bypass the license check, focusing on updates while remaining silent about the harmful load.
Once this program started identifying security fixes, some forums started alerting users to the potential existence of RedLine Stealer in the HPDxLIB build.
Nevertheless, researchers say the program’s instructions still ask you to turn off security and add malicious files to exclusions; without these, pirated activators won’t function.
The instructions for the malicious sample urge users to replace the legitimate dynamic library techsys.dll with the one from the activator. “Pure” versions of HPDxLIB also employ this approach.
But in the case of an assembly that is provided by cybercriminals, the legitimate 1cv8.exe process loads the malicious library, which then launches the stealer when a patched version of business software is launched.
“Attackers do not exploit vulnerabilities and do not exploit the corporate software itself in any way — they only abuse the victim’s credulity”, reads the report.
The RedLine stealer is disseminated using the Malware-as-a-Service (MaaS) concept. The malware’s developers provide users the option to purchase a one-time build or sign up for a stealer subscription.
The RedLine family specializes in stealing confidential data from a designated C&C server, including information from instant messaging apps, browsers, and the compromised system and its users.
It is obvious that the attackers behind this campaign want to get access to Russian-speaking business owners who automate business procedures with software. The fact that they are targeting corporations rather than individual users appears unique.
The campaign also mainly demonstrates how untrustworthy pirated software and various activators are. Hence, businesses should avoid utilizing fake software to be safe.
IoCs
SFX Archives
5579ca3bc1820615b0af1759d1b78520 4909f24b7221e87b0c903d5b37d69dce d63579ea9ec4bd2ab01a60d0ce2d2722 1e0063b86665b824f5122b916733b190 91c9aa2291bf147cad94ef73efcb7815 a93d65a55842138faf6516edf1e0c9df
techsys.dll
3460e0257c0bd662e51e8dfdefbbcb56 4bf35488cc7edeec65e9f6f2b5c155cc c4450d22c842554d10c0ef6c925e2cbe 20f036d7ede6ba59b5cb16a3a81f337c ce11dfcf2c1817e5911b58e24af316d6 31538e09545f89a26881d9b6158685fe 777fa58b02126c420252a60d4716635f
hpdx.dll
c0dd226564fa98684d10ce5a9f4fb8dd cbdaa5e11c2522fbbef57acc83014dc6 917af383b32586ba1a8ecb2058f17887
RedLine Payload
e0057ae14461e3b8a78e37ec22be695a 2a81e1ce4db9f25577a86744be60a853
C&C
213.21.220[.]222:8080
Investigate Real-World Malicious Links,Malware & Phishing Attacks With ANY.RUN - Try for Free