The RedLine Stealer

1 min read

How Critical Insight stopped a new kind of malware for a healthcare organization. 

An organization focused on education stopped the spread of malware in their organization with help from Critical Insight. The Critical Insight SOC processed multiple alerts at 6:30a.m. for suspicious activities. When an analyst investigated, he found the “RedLine Stealer” Trojan active on the network.

The analyst found the malware was attempting to make outbound connections to East Africa. RedLine Stealer is designed to steal information such as cached browser data, logins, passwords, cookies (user site credentials), as well as credit card information. It is also used to take information from the victim’s computer such as IP, country, city, current username, keyboard layout, operating system, etc. Items like IP, country, city and keyboard layout make the other information taken more valuable on the dark web for sale to people targeting by location or language. Once the information is stolen, it can be sold from criminal to criminal and leveraged to steal money, secrets, or insert ransomware.

Of course, as soon as the SOC notified the victim organization, Critical Insight and the organization’s IT team worked together on remediation. The victim isolated and rebuilt the impacted computer. The SOC did a deep investigation to determine whether the Trojan had spread beyond the single computer, but because the SOC had caught the malware so quickly, the Trojan had not spread.

While it’s unclear exactly how RedLine Stealer ended up on the network, there are multiple reports of criminals using “Windows 11 Download” sites and ads to trick victims. HP researchers found a malicious actor who registered windows-upgraded[.]com to trick people and get them to download RedLine Stealer. And Fortinet researchers found RedLine Stealer disguised as Covid phishing bait in a file called “Omicron Stats.exe.”

“Since malware like RedLine Stealer is built to evade standard cybersecurity software, only organizations with comprehensive cybersecurity defenses that include a 24x7 SOC can quickly catch malware like this,” said Critical Insight CTO Mike Simon.

The good news is that the SOC caught the criminals before they did damage.