Pirated Software Like Hacked 3DMark Is Used to Distribute RedLine Infostealer

Zscaler specialists discovered several malicious campaigns in which the RedLine infostealer is distributed under the guise of various pirated software, including 3DMark, Adobe Acrobat Pro, MAGIX Sound Force Pro, and so on.

Let me remind you that we also talked about RedLine Stealer Malware Masks as Bots to Buy Binance NFT Mystery Boxes.

The researchers say that SEO poisoning and malicious advertising are used to promote sites with dangerous “pirates”, which allows attackers to rank high in Google search results.

RedLine infostealer and pirated software

Users are lured to such sites by offering free pirated versions of Adobe Acrobat Pro, 3DMark, 3DVista Virtual Tour Pro, 7-Data Recovery Suite, MAGIX Sound Force Pro, Wondershare Dr. Fone, as well as various cracks and key generators.

At the same time, malicious executables masked as promoted software installers are often placed on third-party file hosting sites, so landing pages only redirect victims to other places to download files.

RedLine infostealer and pirated software

The downloaded files are usually archives containing a password-protected 1.3 MB ZIP file (to avoid the attention of anti-virus software) as well as a TXT file with a password. When unpacking, such a file is artificially reduced to 600 MB by filling it with unnecessary bytes.

RedLine infostealer and pirated software

The resulting executable is a malware loader that spawns an encoded PowerShell command, and thus launches the Windows command prompt (cmd.exe) even after a 10 second timeout. The cmd.exe process in turn downloads a fake JPG file, which is actually a DLL file with the contents in reverse order.

RedLine infostealer and pirated software

The loader reorders the contents of the file, extracting the DLL and the RedLine infostealer payload.

Redline Stealer is a very powerful malware designed to steal information. It is capable of extracting credentials from browsers, FTP clients, email, instant messengers, and VPNs. In addition, the malware can steal authentication cookies and card numbers stored in browsers, chat logs, local files, and cryptocurrency wallet databases. Currently, RedLine Stealer is actively sold on the dark web, and a monthly subscription costs approximately $100.

Zscaler analysts note that in some cases, attackers used another malware to steal data – RecordBreaker. The malware has been packaged with Themida to obfuscate and prevent detection. The RecordBreaker steals just as much data as the Redline Stealer, so it doesn’t really matter to the victims which payload was used by the hackers.

Leave a Comment

About William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several months after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master's degree in cybersecurity, I've started working as a virus analyst in a little anti-malware vendor.