2023-03-02 (Thursday) - #RigEK pushes loader that retrieves #RedlineStealer malware. #pcap, malware/artifacts, and IOCs available at https://www.malware-traffic-analysis.net/2023/03/02/index.html

Also posted at: https://twitter.com/malware_traffic/status/1621728889486671873

2023-02-03 (Friday) - DEV-0569 activity: Google ad fake CPUID page --> "FakeBat" Loader --> Redline Stealer & Gozi/ISFB/Ursnif

IOCs, pcap of the infection, and associated malware/artifacts available at: https://malware-traffic-analysis.net/2023/02/03/index.html

Tags: #DEV0569 #FakeBat #Gozi #ISFB #Malware #pcap #Redline #RedlineStealer #Ursnif

Hopefully, recent blogs about all these malicious Google ads will force Google to change something. But I have a feeling Google will keep on being Google.

Looks like the #RedLine #infostealer has gotten in on the #OneNote action, using it to deliver a malicious .bat file that kicks off a PowerShell stager script:

https://twitter.com/Unit42_Intel/status/1620090792088932352

Original Tweet Content:
A new method for delivering #RedLineStealer via #OneNote attachments was observed (e03d1dc90b981455ff453c996a919848074c6e735719148eeb8e1185935c28b3). Extracted C2 configuration: {"C2 url": ["172.245.45.213:3235"], "Bot Id": "Skijay2"}

We've published an article on how OneNote works as a maldoc format, and provide a few tips and tools to help in analysis: https://opalsec.substack.com/p/onenote-emerges-as-the-latest-maldoc

#malware #infosec

Picking backup #100DaysOfYara with Day 1️⃣​6️⃣​- Fake installers archives with adobe AfterFX
🔗​ https://github.com/colincowie/100DaysOfYara_2023/blob/main/January/016/016.md

Recently @rmceoin shared details about a #RedLineStealer malvertizing campaign using fake installers:
📖​ https://infosec.exchange/@rmceoin/109763719160050309

Todays yara rule looks for these archives by detecting on the packaged legit adobe file, `AfterFXLib.dll`. Some of the #malware themes found were:
📍​ LastPass
📍​ OnionBrowser
📍​ Rufus
📍​ Notepad++

Has anyone seen #RedLineStealer compromise #macs, either directly or through Chrome plugins?

What would connections to Redline C2 IPs from Google Chrome Helper or com.apple.WebKit.Networking mean?

I have only foud a few artilces on Mac impacted by Redline so I dont know if it is a thing yet.

#threatintel #malware

Cluster of #C2 servers hosted by #PartnerLLC on 77.73.133[.]0/24 ☢️

Includes:
- #Lilith bot 🤖
- #RaccoonStealer 🕵️‍♂️​
- #CobaltStrike - especially active at 77.73.133[.]20, 77.73.133[.]93, 77.73.133[.]120
- #RedLineStealer 🕵️

I’m working to rebuild my automated C2 tracking over on https://abjuri5t.github.io/SarlackLab/. Figured I’d start sharing some of the data I have gathered with the community.

As per @pixelnull‘s suggestion, I’m tagging this with #IOC for threat intel visibility

Cluster of #C2 servers hosted by #PartnerLLC on 77.73.133[.]0/24 ☢️

Includes:
- #Lilith bot 🤖
- #RaccoonStealer 🕵️‍♂️​
- #CobaltStrike - especially active at 77.73.133[.]20, 77.73.133[.]93, 77.73.133[.]120
- #RedLineStealer 🕵️

I’m working to rebuild my automated C2 tracking over on https://abjuri5t.github.io/SarlackLab/. Figured I’d start sharing some of the data I have gathered with the community.

As per @pixelnull‘s suggestion, I’m tagging this with #IOC for threat intel visibility

#RIGEK using CVE-2021-26411 to drop #RedLineStealer

adsgoandway[.]xyz
45.138.26[.]85
5e3cb42e4207ab074e2d8564867cf94fb3f414d414ebc055d9c784a462dc150e

#RedLineStealer drop via #bitbucket

Initial OLE: https://twitter.com/InQuest/status/1593245330882953219

Final payload:
7735fa649a6443d05bcac59678d03556 *ddd.exe

So I went on a hunt and ran into #RedlineStealer #malware I had to set up some analysis but eventually ended up running it and watching it phone home to a known server #infosec #hunter #LegendarySaiyanHacker

So #mastodon is serving #VidarStealer and #RedLineStealer links

📬 Windows 11-Download entpuppte sich als passwortstehlende Malware #Hacking #Malware #Discord #HP #Microsoft #PatrickSchläpfer #RedLineStealer #Windows11 https://tarnkappe.info/artikel/malware/windows-11-download-entpuppte-sich-als-passwortstehlende-malware-213467.html