Redline Stealer Targeting Accounts Saved to Web Browser with Automatic Login Feature Included

While investigating a recent breach case of the internal network of a certain company, AhnLab ASEC analysis team has confirmed that the VPN account used to access the company network was leaked from the PC of a certain employee who was working from home.

The company where the damage occurred provided VPN service to employees who were working from home to give access to the company’s internal network, and the employees connected to the VPN on the provided laptops or their PCs. The targeted employee used the password management feature provided by the web browser to save and use the account and password for the VPN site on the web browser. While doing so, the PC was infected with malware targeting account credentials, leaking accounts and passwords of various sites, which also included the VPN account of the company.

The leaked VPN account was used to hack the company’s internal network three months later. 

Password Management Feature of Web Browsers 

For user convenience, web browsers store the account and password entered into the login form when the user visits a website and provide the feature to enter them automatically upon revisiting. The password management feature is enabled by default on Chromium-based web browsers (Edge, Chrome).

Figure. Chrome pop-up suggesting to save password

The information entered when logging in is saved to the Login Data file via the password management feature.

Web BrowserFile Path
ChromeC:\Users\<User name>\AppData\Local\Google\Chrome\User Data\Default\Login Data
EdgeC:\Users\<User name>\AppData\Local\MicrosoftEdge\User\Default\Login Data
OperaC:\Users\<User name>\AppData\Roaming\Opera Software\Opera Stable\Login Data
WhaleC:\Users\<User name>\AppData\Local\Naver\Naver Whale\User Data\Default\Login Data
Table. Login Data path of Chromium-based web browsers

Login Data is an SQLite database file, and the account and password information are saved to the logins table. In addition to accounts and passwords, the time saved, URL of the login site, and the number of times of access is saved to the logins table.

If the user refuses to save account and password information of a site, in order to remember this, the blacklisted_by_user field will be set as 1, the username_value and password_value fields will not have accounts or passwords, and only the origin_url information is saved to the logins table.

Figure. logins table of Login Data

Figure. Example of data saved to logins table

Leaking Account Credentials

It was discovered that the targeted employee’s PC was used by the whole family at home and was not safely managed. It was already infected with various malware since long ago, and although an anti-malware program of another company had been installed, it had failed to properly detect and repair.

Among the infected malware was Redline Stealer-type malware. Redline Stealer is an infostealer that collects account credentials saved to web browsers, which first appeared on the Russian dark web in March 2020. A user under the name of REDGlade uploaded a promotional post explaining the various features included in Redline Stealer and selling the hacking tool for $150-$200.

Figure.  Redline Stealer Telegram page

As Redline Stealer was sold to unspecified individuals indiscriminately on the dark web, it is hard to relate the developer of the malware to the attacker directly. Apart from the malware, credentials that were leaked using Redline Stealer were also being sold on the dark web.

Redline Stealer first appeared in March 2020, and phishing emails abusing the issue of COVID-19 were used. It is known that the malware was then distributed in various methods such as phishing emails, abusing of Google advertisements, and disguising as a photo editing program.

In this case, Redline Stealer was distributed online disguised as a crack program of Soundshifter, a pitch-shifting program from Waves. The user entered the name of the software with crack, free, etc. to search the file, downloaded it, and ran the downloaded file, which led to the infection by the malicious file.

Figure. Search history for “waves soundshifter crack” on Google

The main features of Redline Stealer are as follows:

Main FeaturesDescription
Collecting Information– Collecting and stealing information saved to browsers
– Login account and password
– Cookies
– Autofill
– Credit card information
– Browsers targeted for attack
– All Chromium-based browsers
– All Gecko-based browsers
– Cryptocurrency wallet information
– Seed file saved to the system
Collecting System Info– Collecting default system info such as the IP address of system and OS info
– Collecting hardware information such as the processor of the system, memory size, and GPU
– Collecting information of browsers and software installed in the system
– Collecting processes and anti-malware programs installed
C&C– Controlling target system via SOAP protocol communication
– Uploading and downloading files
– Accessing arbitrary URL and running files
Table. Main features of Redline Stealer

Although the account credentials storing feature of browsers is very convenient, as there is a risk of leakage of account credentials upon malware infection, users are recommended to refrain from using it and only use programs from clear sources. 

[IOC Info]

Traces of what is judged to be Redline Stealer were discovered in the breached system, and the Hash of the malware could not be obtained as the malicious files have been deleted. 

  • cio.exe.com
  • orrore.exe.com
  • certe.exe.com
  • 18.188.253.6

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

[Relevant Blog Post]

5 1 vote
Article Rating
61 Comments
Inline Feedbacks
View all comments
trackback

[…] un software di password dedicato. Ma comunque, sono meglio di niente, giusto? Un nuovo rapporto di AhnLab ASEC dimostra il contrario: la memorizzazione delle password nel browser ti rende incredibilmente […]

trackback

[…] kata laluan khusus. Tetapi tetap, mereka lebih baik daripada tiada, bukan? Laporan baharu daripada AhnLab ASEC membuktikan sebaliknya—menyimpan kata laluan dalam penyemak imbas anda menyebabkan anda sangat […]

trackback

[…] wachtwoordsoftware beschikken. Maar toch, ze zijn beter dan niets, toch? Een nieuw rapport van AhnLab ASEC bewijst het tegenovergestelde: door wachtwoorden in uw browser op te slaan, bent u ongelooflijk […]

trackback

[…] Tuy nhiên, chúng vẫn tốt hơn là không có gì, phải không? Một báo cáo mới từ AhnLab ASEC đã chứng minh điều ngược lại — lưu trữ mật khẩu trong trình duyệt khiến […]

trackback

[…] a brand new report by AhnLab ASEC warns that the comfort of utilizing the auto-login function on net browsers is turning into a […]

trackback

[…] password. Ngunit gayon pa man, mas mahusay sila kaysa sa wala, tama? Ang isang bagong ulat mula sa AhnLab ASEC ay nagpapatunay sa kabaligtaran—ang pag-imbak ng mga password sa iyong browser ay nag-iiwan sa […]

trackback

[…] suojaus ja ominaisuudet. Mutta silti, ne ovat parempia kuin ei mitään, eikö niin? Uusi AhnLab ASEC-raportti todistaa päinvastaisen: salasanojen tallentaminen selaimeesi jättää sinut uskomattoman […]

trackback

[…] dedykowane oprogramowanie do obsługi haseł. Ale i tak są lepsze niż nic, prawda? Nowy raport z AhnLab ASEC dowodzi czegoś przeciwnego — przechowywanie haseł w przeglądarce naraża cię na ataki […]

trackback

[…] program. However nonetheless, they’re higher than nothing, proper? A brand new report from AhnLab ASEC proves the alternative—storing passwords in your browser leaves you extremely weak to hackers, […]

trackback

[…] ブラウザベースのパスワードマネージャには、専用のパスワードソフトウェアのセキュリティと機能が不足していると警告することがよくあります。それでも、何もないよりはましですよね? AhnLab ASEC からの新しいレポートは、その逆を証明しています。ブラウザにパスワードを保存すると、たとえハッカーに対して非常に脆弱になります。アカウントごとに一意のパスワードを使用します。 […]

trackback

[…] of dedicated password software. But still, they’re better than nothing, right? A new report from AhnLab ASEC proves the opposite—storing passwords in your browser leaves you incredibly vulnerable to […]

trackback

[…] program. However nonetheless, they’re higher than nothing, proper? A brand new report from AhnLab ASEC proves the other—storing passwords in your browser leaves you extremely susceptible to hackers, […]

trackback

[…] of dedicated password software. But still, they’re better than nothing, right? A new report from AhnLab ASEC proves the opposite—storing passwords in your browser leaves you incredibly vulnerable to […]

trackback

[…] fresh up-to-date record from safety specialists at AhnLab ASEC warns us that the facility of utilizing the automated login function in internet browsers turns […]

trackback

[…] new recent report from security experts at AhnLab ASEC warns us that the convenience of using the auto-login feature on web browsers is becoming a […]

trackback

[…] neuer aktueller Bericht von Sicherheitsexperten bei AhnLab ASEC warnt uns, dass die bequeme Verwendung der automatischen Anmeldefunktion in Webbrowsern zu einem […]

trackback

[…] program. However nonetheless, they’re higher than nothing, proper? A brand new report from AhnLab ASEC proves the other—storing passwords in your browser leaves you extremely susceptible to hackers, […]

trackback

[…] eksperti sve češće upozoravaju na to koliko je čuvanje lozinki u pregledačima opasna stvar, a RedLine Stealer je najnoviji […]

trackback

[…] to a report by AhnLab ASEC, a remote employee lost VPN account credentials to RedLine Stealer actors who eventually used it to […]

trackback

[…] password software. They’re still better than nothing, aren’t they? A new report from AhnLab ASEC proves the opposite–storing passwords in your browser leaves you incredibly vulnerable to […]

trackback

[…] a new report by AhnLab ASEC warns that the convenience of using the auto-login feature on web browsers is becoming a […]

trackback

[…] to research from security company AhnLab, the employee was working from home on a device shared with other […]

trackback

[…] to research from security company AhnLab, the employee was working from home on a device shared with other […]

trackback

[…] to research from security company AhnLab, the employee was working from home on a device shared with other […]

trackback

[…] to research from security company AhnLab, the employee was working from home on a device shared with other […]

trackback

[…] to research from security company AhnLab, the employee was working from home on a device shared with other […]

trackback

[…] to research from security company AhnLab, the employee was working from home on a device shared with other […]

trackback

[…] kötü amaçlı yazılımı, tarayıcılarda depolanan kullanıcı şifrelerini çalar. Bu konuda diyor ki AhnLab ASEC tarafından yapılan bir […]

trackback

[…] to research from security company AhnLab, the employee was working from home on a device shared with other […]

trackback

[…] to research from security company AhnLab, the employee was working from home on a device shared with other […]

trackback

[…] to research from security company AhnLab, the employee was working from home on a device shared with other […]

trackback

[…] to research from security company AhnLab, the employee was working from home on a device shared with other […]

trackback

[…] FORRÁS […]

trackback

[…] to research from security company AhnLab, the employee was working from home on a device shared with other […]

trackback

[…] to research from security company AhnLab, the employee was working from home on a device shared with other […]

trackback

[…] Ancak AhnLab ASEC tarafından hazırlanan yeni bir rapor, web tarayıcılarında otomatik oturum açma özelliğini kullanmanın rahatlığının hem kuruluşları hem de bireyleri etkileyen önemli bir güvenlik sorunu haline geldiği konusunda uyarıyor. […]

trackback

[…] to research from security company AhnLab, the employee was working from home on a device shared with other […]

trackback

[…] to to research from the security company AhnLab, the employee was work from home on a device shared with other […]

trackback

[…] to research from security company AhnLab, the employee was working from home on a device shared with other […]

trackback

[…] to research from security company AhnLab, the employee was working from home on a device shared with other […]

trackback

[…] to research from security company AhnLab, the employee was working from home on a device shared with other […]

trackback

[…] to research from security company AhnLab, the employee was working from home on a device shared with other […]

trackback

[…] to research from security company AhnLab, the employee was working from home on a device shared with other […]

trackback

[…] on research from safety firm AhnLab, the worker was working from home on a tool shared with different family […]

trackback

[…] to research from security company AhnLab, the employee was working from home on a device shared with other […]

trackback

[…] to research from security company AhnLab, the employee was working from home on a device shared with other […]

trackback

[…] to research from security company AhnLab, the employee was working from home on a device shared with other […]