# Cloudilax

New Exploit Kit Campaign Infects Victim’s PCs’ With RedLine Stealer

A new campaign that leverages an exploit kit has been observed abusing an Internet Explorer flaw that was patched by Microsoft last year to deliver the RedLine Stealer trojan.

RedLine Stealer performs recon against the target system when executed (including username, hardware, browsers installed, anti-virus software). It then exfiltrates data, including passwords, crypto wallets, saved credit cards, and VPN logins, to a remote command and control server.

Most of the infections are located in Germany and Brazil, followed by the U.S., Canada, Egypt, China, and Poland, among others.

Exploit kits are comprehensive tools containing a collection of exploits designed to exploit vulnerabilities in commonly-used software by scanning infected systems for different flaws and deploying additional malware.

The primary infection method attackers use to distribute exploit kits, in this case, the Rig Exploit Kit, is through compromised websites that, when visited by victims, drop the exploit code to send the RedLine Stealer payload to perform follow-on attacks ultimately.

The flaw in question is CVE-2021-26411, a memory corruption vulnerability impacting Internet Explorer that North Korea-linked threat actors have previously weaponized. Microsoft addressed it as part of its Patch Tuesday updates for March 2021.

The RedLine Stealer sample comes packed in multiple encryption layers to avoid detection, with the unpacking of the malware progressing through as many as six stages.

RedLine Stealer malware is sold on underground forums. It comaes with features to exfiltrate cookies, passwords, and credit card data saved in browsers and crypto wallets, VPN login credentials, chat logs, and text from files as per commands received from a remote server.

This is not the only campaign that involves the distribution of RedLine Stealer. HP detailed a social engineering attack that used fake Windows 11 upgrade installers to trick Windows 10 users into downloading and executing the malware in February 2022.

Found this article interesting? click here to read more exclusive content we post.

Related blogs