Briefing Malware

Briefing Malware - 02/05/2022

2nd of May 2022 - Winners of the 18th week : NjRAT, Redline and AgentTesla.

Some links points at extended actionnable intelligence (Threat Bulletins, TTPs, signatures, etc) on our Threat Intelligence Platform Anomali. This access is limited to our clients.


Threat statistics report

Publication date:


Distribution :


What's new?

RedLine (NC)

RedLine Stealer Resurfaces in Fresh RIG Exploit Kit Campaign

#RedLine is a popular #stealer malware, cheap but powerful, with the ability to steal various information from crypto wallets to emails or VPN credentials. This diversity of stolen information makes it attractive to operators for monetization. #Bitdefender detected more than 10 000 Redline attacks this April 2022. Additionally, the editor identified a campaign at the start of the year using exploits for #CVE-2021-26411 found in #Internet Explorer (triggered when viewing a specially crafted website), that are part of #RIG Exploit Kit which is used to deliver the stealer. Once the exploit kit is successfully executed, it drops a #JScript file in the temporary folder and executes it with wscript.exe to download the payload and decrypt it with the #RC4 encryption key provided as parameter.

#Recorded Future estimated that the vast majority of stolen credentials currently sold on two dark web underground markets were collected using the RedLine Stealer malware.

Even if #Microsoft strongly advises to not use Internet Explorer , the browser is still largely used in the industry for operational reasons, so it is important to keep it updated. Moreover, it could be relevant noting that IE will end support in June 2022 and will stop receiving security patches in 2023.



Download the report