New RedLine malware version spread as fake Omicron stat counter


A new variant of the RedLine info-stealer is distributed via emails using a fake COVID-19 Omicron stat counter app as a lure.

RedLine is a widespread commodity malware sold to cyber-criminals for a couple of hundred USD. It supplies dark web markets with over half of the stolen user credentials sold to other threat actors.

The malware is actively developed and continually improved with widespread deployment using multiple distribution methods.

RedLine targets user account credentials stored on the browser, VPN passwords, credit card details, cookies, IM content, FTP credentials, cryptocurrency wallet data, and system information.

The most recent variant was spotted by analysts at Fortinet, who noticed several new features and improvements on top of an already information-stealing functionality.

Targeting additional data

The new variant has added some more information points to exfiltrate, such as:

  • Graphics card name
  • BIOS manufacturer, identification code, serial number, release date, and version
  • Disk drive manufacturer, model, total heads, and signature
  • Processor (CPU) information like unique ID, processor ID, manufacturer, name, max clock speed, and motherboard information

This data is fetched upon the first execution of the “Omicron Stats.exe” lure, which unpacks the malware and injects it into vbc.exe.

The additional apps targeted by the new RedLine variant are the Opera GX web browser, OpenVPN, and ProtonVPN.

Previous versions of RedLine targeted regular Opera, but the GX is a special “gamer-focused” edition growing in popularity. 

Moreover, the malware now searches Telegram folders to locate images and conversation histories and send them back to the threat actor’s servers.

Finally, local Discord resources are more vigorously inspected to discover and steal access tokens, logs, and database files.

New RedLine variant searching for Discord logs
New RedLine variant searching for Discord logs
Source: Fortinet

Campaign characteristics

While analyzing the new campaign, researchers found an IP address in Great Britain communicating with the command and control server via the Telegram messaging service.

The victims are spread across 12 countries, and the attack doesn’t focus on specific organizations or…