Threat analysts have uncovered yet a new campaign that uses the RIG Exploit Kit to deliver the RedLine stealer malware.
Exploit kits (EKs) have dropped drastically in popularity as they targeted vulnerabilities in web browsers introduced by plug-in software such as the now-defunct Flash Player and Microsoft Sillverlight.
As web browsers grew more secure and introduced automatic updates for all their components or replaced them with modern standards, the use of EKs to distribute malware has declined to the point that they are a rare encounter these days.
However, as there are still users running browsers without the latest security updates, Internet Explorer in particular, EKs have not completely run out of targets.
The recently investigated campaign relying on RIG EK leverages CVE-2021-26411, an Internet Explorer vulnerability that causes memory corruption when viewing a specially crafted website.
The threat actors use the exploit to compromise the machine and deploy RedLine, a cheap but powerful info-stealing malware widely circulated on Russian-speaking forums.
From there, the adversaries exfiltrate sensitive user details such as cryptocurrency wallet keys, credit card details, and account credentials stored on web browsers.
RIG Exploit’s new tricks
As the name implies, the RIG EK includes a set of exploits to automate network intrusion by performing the required shellcode execution on the target.
It was once preferred to other kits due to combining different technologies such as JavaScript, VBScript, DoSWF, and others, employed for packing, obfuscation, and execution.
Today, RIG Exploit has lost its prestigious status but some threat actors still find it useful to deliver malware, as was the case last year, when it dropped WastedLoader malware.
The recent campaign was discovered by researchers at Bitdefender, who found that RIG EK incorporates CVE-2021-26411 to initiate an infection process that smuggles a copy of RedLine stealer on the target in packed form.
The exploit creates a new command-line process that drops a JavaScript file in a temporary directory, which in turn downloads a second RC4-encrypted payload and launches it.
The unpacking of the RedLine stealer is a six-stage process consisting of decompressions, key retrievals, runtime decryptions, and assembly actions. The resulting DLL files never touch disk memory to evade AV detection.
RedLine unpacked
Once RedLine has taken form on the compromised machine as an obfuscated .NET executable, it attempts to connect to the C2 server, in this campaign, 185.215.113.121 via port 15386.
The communication uses an encrypted non-HTTP channel, while the first request also involves authorization. The second request is answered by a list of settings that determine what actions will be performed on the host.
After that, RedLine begins collecting data according to those settings, targeting an extensive set of software like web browsers, VPNs, FTP clients, Discord, Telegram, Steam, and cryptocurrency wallets/plugins.
Moreover, RedLine sends a package of system information to the C2, including the Windows username and serial number, a list of installed software, a list of running processes, time zone, active language, and a screenshot.
Diverse distribution
The variety in RedLine’s distribution stems from the fact that it’s in the hands of so many threat actors, each having its own approach.
While these methods require user action and target a wider audience, the addition of the RIG Exploit Kit automates the infection process but limits the victim set to those that still run a vulnerable version of Internet Explorer.