Shining a Light on RedLine Stealer Malware and Identity Data Found in Criminal Shops

Posted: 14th October 2021
Shining a Light on RedLine Stealer Malware and Identity Data Found in Criminal Shops

As threat actors continue to expand their attack surface - with cloud systems and supply chain attacks continuing to make headlines -- there are even more opportunities for threat actors to breach your organization. Verifying user identities and controlling access to sensitive data is critical to organizational security, but can be difficult to achieve. Stolen corporate data such as user credentials regularly ends up on paste sites and dark web channels, allowing cybercriminals to purchase the data, and potentially use it to gain access to an organization’s network or systems. Unable to keep up with the growing onslaught of attacks and continuous monitoring of the dark web for sensitive information on their own, organizations are not able to be proactive and are left exposed to financial, legal, and reputational consequences.

And the problem is not limited to the sheer volume of attacks, but the sophistication of attacks is also growing, with advanced evasive tactics making detection much more difficult. Threat actors continue to find new ways to capture credentials and sell them on the dark web to the highest bidder. That is why organizations need greater visibility on threat actor tactics for credential harvesting, and real-time monitoring of data leaks across all sources, including criminal and invitation-only sites.

Today, Insikt Group released a report on RedLine Stealer, an infostealer malware that has become a key source of identity data marketed and sold on online criminal forums since its initial release in early 2020. It is just one example of many infostealers that Insikt Group has profiled over the last year that threat actors are currently using to gain access to compromised identities in order to conduct fraudulent activities. 

RedLine Stealer is commonly distributed by phishing emails, as well as messaging on social media. The phishing email lures are often topical, concerning current events such as COVID-19 information. It then steals a victim’s data, including usernames, passwords, cookies, payment card information, and cryptocurrency wallet information, that are easily monetized by direct use or sale to other criminals. The sale of this stolen data is often conducted through underground markets that provide one-stop shopping for criminals involved in identity theft. 

In order for organizations to identify and protect against credential theft conducted by malicious tools like RedLine Stealer, they need support in monitoring thousands of dark, deep, and open web sources for relevant threats targeting their organization. Recorded Future Identity Intelligence eliminates the need to manually aggregate, correlate, and triage identity information, and empowers organizations to dramatically reduce the amount of time it takes to detect, prioritize, and respond to real risks to their business. 

Paired with the finished intelligence and expertise from Insikt Group, organizations who use the Recorded Future Platform have actionable intelligence around data leaks, credential harvesting, malware-as-a service offerings, and more. These high-fidelity insights into specific attack methods and tools, such as RedLine Stealer, allow organizations to shine a light on true threats and take timely steps to block any malicious activity. By implementing the associated YARA, SNORT, and Sigma rules into network, endpoint, or malware security solutions, organizations can stop RedLine Stealer in its tracks and reduce the risk to their business. 

For organizations looking to proactively prevent identity theft and credential leaks, Recorded Future provides access to actionable, real-time, automated Identity Intelligence, supported by Insikt Group, our global team of threat intelligence experts who identify and maintain persistence access with closed, insider-access forums. To learn more, download the full RedLine Stealer report and request a demo of the Identity Intelligence module.