[TheRecord] RedLine Stealer identified as primary source of stolen credentials on two dark web markets

The vast majority of stolen credentials currently sold on two dark web underground markets have been collected using the RedLine Stealer malware, Insikt Group, the cybersecurity research arm of Recorded Future, has discovered.

First spotted in March 2020, the RedLine Stealer is part of the infostealer family, a type of malware that once it infects a computer, its primary purpose is to collect as much user data as possible and then send it to the attackers, who typically put it up for sale online.

Data collection capabilities included with the RedLine Stealer include the ability to extract login credentials from web browsers, FTP clients, email apps, instant messaging clients, and VPNs.

In addition, RedLine can also extract authentication cookies and card numbers stored inside browsers, chat logs, local files, and cryptocurrency wallet databases.

Initially developed by a programmer named REDGlade, the malware has been sold on several underground hacking forums since March 2020. After the stealer received positive reviews in a hacking forum thread, pirated versions of the RedLine Stealer were also released on hacking forums a few months later, in August this year, allowing it to spread to even more threat actors who didn’t have to pay for it.

Image: Recorded Future

But even prior to the release of the cracked version, RedLine had undeniably found a loyal customer base. According to an Insikt Group report published last week, the vast majority of stolen credentials that are being offered for sale on two underground markets originate from systems that were infected with the RedLine Stealer.

“Both Amigos Market and Russian Market were identified by Insikt Group (June 2021) posting identical listings regularly that contained the same timestamps, infostealer variants used, geographical locations of affected machines, and ISPs,” Insikt Researchers said.

Image: Recorded Future

The Insikt team’s findings come after a similar report from threat intelligence firm KELA from February 2020, which found that around 90% of stolen credentials sold on the Genesis Market came from infections with the AZORult infostealer.

The two reports show that underground cybercrime markets are fragmented and typically work with their own separate suppliers, similar to how legitimate markets have their own preferences for certain business partners.

This fragmentation opens the door to crippling the supply of several underground markets by going after the makers and sellers of these infostealers.

The perfect example of what this disruption could achieve came in February 2020 when a Chrome update (that changed how credentials were stored inside the browser) stopped the flow of new stolen credentials on Genesis Market for months until the AZORult stealer was updated to handle the new format.

The post RedLine Stealer identified as primary source of stolen credentials on two dark web markets appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

Daily NCSC-FI news followup 2020-01-05

Austria: Cyberangriff auf Außenministerium orf.at/stories/3149769/ Die IT-Systeme des Außenministeriums sind derzeit offenbar Ziel eines schwerwiegenden Cyberangriffs. Der Angriff lief auch am Sonntag weiter, so Außenamtssprecher Peter Guschelbauer. Vonseiten des Ministeriums vermutet man einen Angriff eines staatlichen Akteurs.. Also www.bbc.com/news/world-europe-50997773 US announces AI software export restrictions www.theverge.com/2020/1/5/21050508/us-export-ban-ai-software-china-geospatial-analysis The ban, which comes into force on Monday, is […]

Read More

[TheRecord] What did the White House and U.S. tech giants pledge to do on cyber, exactly?

The White House and U.S tech giants on Wednesday made a host of commitments intended to boost the country’s cybersecurity. “I’ve invited you all here today because you have the power, the capacity, and the responsibility, I believe, to raise the bar on cybersecurity,” President Joe Biden said at the beginning of the summit that […]

Read More

[ThreatPost] Black Hat: Security Bugs Allow Takeover of Capsule Hotel Rooms

All posts, ThreatPost

A researcher was able to remotely control the lights, bed and ventilation in “smart” hotel rooms via Nasnos vulnerabilities. Source: Read More (Threatpost)

Read More