Briefing Malware - 17/05/2022
17th of May 2022 - Winners of the 20th week : Redline, FormBook and NjRAT.
Some links points at extended actionnable intelligence (Threat Bulletins, TTPs, signatures, etc) on our Threat Intelligence Platform Anomali. This access is limited to our clients.
Threat statistics report
TLP : WHITE
RedLine Stealer Campaign Using Binance Mystery Box Videos to Spread GitHub-Hosted Payload
During April 2022, several campaigns through YouTube tutorials have been identified by Netskope Threat Labs, that were aimed to infect victims with #RedLine , a malware used for #data harvesting and #exfiltration as well as #remote control .
Those tutorials target a very specific audience by featuring a fake bot to buy #Binance NFT Mystery boxes.
A link to a #Github repository in the description allows the victims to download the malicious files along with a README and a setup file for #Microsoft Visual C++ Redistributable .
Executing the given file will decrypt and load a first stage of RedLine Stealer into another process. The malware then attempts to delay execution to evade sandboxes and then begins decrypting the next stage using a simple rolling XOR algorithm. It also decrypts and executes a shellcode and finally injects its payload into "RegSvcs.exe" process.
The malware also checks for #blocklisted countries and exits if finding a match with the OS region, mostly Commonwealth of Independent States (CIS) countries.
When inspecting the GitHub account repositories linked, they found five distinct RedLine loaders, two of which being digitally signed and all pretending to be some kinds of bots.