To Fill or AutoFill, Your Passwords are just a RedLine away from being stolen

Let's start by asking you this question, should you save your passwords, banking information, addresses and other sensitive information on your web browsers?

Your login data is stored in an SQLite database file on your endpoint which makes your sensitive keys to various kingdoms vulnerable, let's hope you have been good this Christmas by implementing 2FA / MFA which creates a barricade against unauthorised access into your online accounts.

Let's now dive into malware that has been raising eyebrows globally in its all-purpose malicious intent, the infamous RedLine Stealer Malware. So, now let us pause a second to understand what is meant by stealer malware.

This definition is from Trend Micro, " A stealer is a Trojan that gathers information from a system. The most common form of stealers are those that gather logon information, like usernames and passwords, and then send the information to another system either via email or over a network. Other stealers, called keyloggers, log user keystrokes which may reveal sensitive information. "

Did you know that hackers and their affiliates can purchase this malware for about R2600 / $150 on the dark web cyber-crime forums and be deployed without many obscurities in the way?

Just to be clear if you have watched any form of malware testing a proficient will never use a plethora of malware samples to the tune of 100+ to target they will plan carefully to evade detection by static signature sensors and behavioural sensors that are looking for various hackers tactics, techniques and procedures to catch them in their cyber-kill chain act whilst they busy masquerading as legitimate processes.

Technical Analytics on RedLine Stealer

And, yes even hackers are using code signing certificates to get past various defence mechanisms as seen with a sample we recently tested:

• Organisation: *.logical.net
• Issuer: Sectigo RSA Domain Validation Secure Server CA
• Algorithm: sha256WithRSAEncryption
• Valid from: 2022-03-22T00:00:00Z
• Valid to: 2023-04-21T23:59:59Z
• Serial number: 77f770b563773846be8ca9bebcf35c29

Gain full insights here on indexed VirusTotal:

https://www.virustotal.com/gui/file/2f5adcd21b56b7a72adadb73a7d29ea9158a1b10cf02be624f60f41a3b1fce0d/behavior

What is the symptom of having RedLine moving lately across your endpoint?

RedLine Stealer is designed to stealthily infiltrate your endpoint and remain benign, and thus no particular symptoms are clearly visible on an infected endpoint.

How does RedLine Stealer land on your endpoint?

Infected email attachments, malicious online advertisements, social engineering, software 'cracks' hmmm, let's just hope a naughty employee did not torrent cracks.

What is the damage caused by RedLine Stealer?

Stolen passwords and banking information, identity theft, and the victim's endpoint may just be added to a botnet network to take a crack at bigger corporate networks and infrastructure.

So, going back to our starting question, would you still save your passwords and sensitive banking and address information on your chromium based / gecko browser?

How do we defend against sophisticated malware like RedLine Stealer?

In now building the full picture of RedLine Stealer Malware briefly, it collects login credentials (usernames, email addresses, passwords, etc.), autofill data, cookies, and credit card details from Gecko-based and Chromium-based web browsers. It also targets cryptocurrency wallets, FTP, VPN, and messaging clients.

For statistical purposes, it is important to note RedLine Stealer Malware has leaked 441 000 passwords as noted on securityaffairs.co.

1. Use a good resilient password manager like Zoho Vault, Bitwarden to name a few;
2. Implement 2FA/MFA, and never use any form of 2FA/MFA that comes in the form of a browser extension as those tokens may just get RedLined as hackers are always sniffing for CVEs;
3. Always keep all internet-facing assets hardware and software to ensure that you are always up to date.
4. Use a vulnerability monitoring tool on your endpoints like the intuitive OPSWAT Client for all platforms as it provides great insights into the health of various types of endpoints;
5. We recommend implementing good end-point security, antivirus, and antimalware like Emisoft, Bitdefender, and Kaspersky leading EDR like Emsisoft Enterprise Security, Malwarebytes EDR and SentinelOne Core or Complete just to name a few phenomenal brands out there. Gain insights on our YouTube Channel "Effectualness"
6. Secure your internet baseline with Encrypted DNS over TLS using Cloudflare DNS or Quad9 to name a few leading DNS players in the industry. Gain insights on our YouTube Channel "Effectualness"
7. Implement resilient mobile security on your smartphone as your mobile phone is every hacker's dream of freedom, fun and fulfilment as it's all about gaining carte balance access through escalated permissions. A worthy solution set to consider is Protectstar Suite which makes hackers on the android platform very jittery in their cyber kill-chain TTPs. Gain insights on our YouTube Channel "Effectualness"

These tips are not exhaustive, yet create good shields against sophisticated malware as everything starts at the endpoint and ends on the endpoint, with a simple act of social engineering that's why we wish to invite your entire company to sign up for our complimentary security awareness training which can be accessed on our website: https://effectualness.co.za to join the first line of defence movement against cybercrime getting the best of us.

Wishing everyone the very best over the festive period, travel safe, mask up in crowded areas as COVID-19 is still around and always make happiness and the purpose of your life illuminate your way forward into 2023.

Well Wishes,

The Effectualness Team