RedLine Malware: What You Need to Know

Malware RedLine is responsible for the breaching of 441,000 unique email addresses, usernames, and plain text passwords in December 2021.

What Is RedLine?

RedLine is a Trojan horse malware that is distributed via Excel XLL files. Once installed, the malware will search the user's computer for information stored in website browsers.

These browsers are:

• Chrome
• Firefox
• Edge
• Opera
• Brave

Subscription-based Malware

RedLine is distributed through the messaging app, Telegram, where users can purchase subscriptions using Bitcoin, Ethereum, XMR, LTC, and USDT for as little as $100 ($200 for the "Pro" version) to use the malware.

The creators of RedLine specify exactly what it will collect for its subscribers:

This malware harvests information from browsers such as saved credentials, autocomplete data, and credit information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. – RedLine features shared by cybercriminals

Malware that is offered to users on a subscription basis, so-called "malware-as-a-service" (MaaS), is an increasingly common means through which bad actors are distributing software for the purposes of cybercrime.

These types of malware have become particularly popular on the underground dark web—they are ready-to-use right out of the box and provide a powerful means for stealing data.

How Is RedLine Used?

RedLine is almost always distributed via email through social engineering campaigns.

Emails of this kind will attempt to persuade the user to follow a URL link that will take them to a malicious website.

These emails will typically be based on something like current events—often the COVID pandemic or some other event that will be applicable to a large number of people.

The goal is to use whatever dirty trick necessary to fool the user into clicking the link—all it takes is one click and they're in.

Once the user has landed on the website, they will be greeted often with a very convincing and supposedly legitimate website, which will itself have links that direct to a Google Drive XXL file.

Once the user has downloaded this file, the malware is installed and RedLine will begin stealing data and feeding it back to the attacker.

XXL Files and Malware

The end goal of a cybercriminal attempting a RedLine scam is to have the target user download an XXL file.

XXL files, denoted by the file extension ".xxl", are used by Microsoft Excel principally to allow third-party applications to add more functionality to Excel.

One such functionality which can be extended through an XXL file is the ability to import data from other sources like browsers, which is how RedLine is used to steal information from users who unwittingly download it.

XXL files are used extensively by hackers in their malware campaigns—any users receiving invitations to download such files from unknown sources should delete the email immediately and report it to their internal IT team if working in a business network.

What Does This Mean for DOT Security Clients?

• For those who are subscribed to endpoint protection, our solution detects the currently analyzed samples of RedLine.
• For those who are subscribed to our email filter solution with malware defense enabled, emails containing the malware or URLs used to infect endpoints are identified and quarantined.
• SOC services are able to investigate alerts and determine if additional remediation is required when new incidents are identified.

What Can I Do to Check If I've Been Compromised?

We encourage all end users to visit the website haveibeenpwned.com, a website project created by cybersecurity pro Troy Hunt which allows users to determine whether they've been involved in a breach.

Users can enter their email address into the website and find out instantly whether they are one of the 441,000 accounts that were compromised in December 2021.

Cybersecurity Recommendations for Businesses

At DOT Security, we recommend all businesses take threats like RedLine seriously and consider implementing the right standards to help prevent employees becoming victims of phishing campaigns that can lead to exploitation through malware like this.

Train Your Workforce

For malicious software like RedLine to work, bad actors exclusively rely on unaware end users to trick them into visiting their websites and downloading malware files.

Using security awareness training is a key step in ensuring safety from bad actors. Cybercriminals operate on a law-of-averages approach, meaning they know that if they send a certain number of phishing emails, they can expect a minimum number of end users to fall victim to them.

The key for organizations in this regard is ensuring that it's not them who are victims, and this is done through cybersecurity awareness training.

Implement MFA

Multifactor authentication requires users to log on to a system with at least two forms of identification.

These can typically be expected to be their password and some other form of authentication, such as a code sent via text or fingerprint.

Using MFA greatly limits the effectiveness of stolen credentials and in many cases will stop a cybercriminal in his tracks, even if they have a plain-text password at hand.

Have Strong Password Policies

End users should always be encouraged to use strong passwords, which should be enforced through a password policy established by the network administrators.

Having a strong password policy is a good best practice to get into the habit of and will make it that much harder for cybercriminals to compromise a network.

Adopt Email Security Measures

Email filters are essential in preventing the mass of phishing attacks that occur every day. These filters can recognize incoming emails that contain malware or malicious URLs and will isolate and prevent them from being accessed by users as though they were normal.

This prevents data breaches by acting as another hurdle cybercriminals have to overcome before getting their message to the targeted end user.

Monitor Endpoints

Modern endpoint protection solutions can identify unusual behavior—such as the presence of files and applications that should not be there—on user endpoints, meaning malware can be quickly identified and removed as soon as a threat becomes apparent.

If a business lacks endpoint protection for their employees' devices, they should strongly consider implementing such a solution in order to effectively monitor devices and ensure they are not compromised.

Bottom Line

RedLine is a form of malware that is offered on a subscription basis to cybercriminals.

It is dangerous, readily available, and easy-to-use—businesses should be aware of the dangers that malware like this can pose and recognize the danger of modern phishing attacks.

Organizations are encouraged to assess their cybersecurity profile and determine whether they have the necessary solutions and knowhow among their employees to make sure they are not a victim of RedLine attacks.

If you are concerned about your cybersecurity profile and your ability to prevent attacks like RedLine, contact us and consider what a DOT Security risk assessment and program can do for you.