Threat Research

RedLine/Vidar Abuses EV Certificates, Shifts to Ransomware

TrendMicro

Threat actors using RedLine and Vidar initially deployed EV code-signed info stealers and later reused the same spear-phishing delivery chain to deliver ransomware (Ransom.Win64.CYCLOPS.A / “Knight” family). The campaign used double-extension attachments, remote JavaScript from samuelelena[.]co, image-hosted encrypted shellcode, process injection, and SMB-based network encryption. #RedLine #Knight

Keypoints

  • Operators distributed polymorphic info-stealer samples (RedLine/Vidar) signed with EV code-signing certificates; dozens of distinct EV-signed samples were observed between July–August 2023.
  • Threat actors shifted the same delivery method to deploy ransomware (detected as Ransom.Win64.CYCLOPS.A / “Knight”), showing operational reuse between info-stealer and ransomware campaigns.
  • Initial infection vector: spear-phishing emails with double-extension attachments (e.g., .pdf.htm) and LNK/JS that executed remote JavaScript from samuelelena[.]co to fetch payloads.
  • Payload retrieval used remote resources (e.g., i.ibb[.]co image) whose contents were converted into encrypted shellcode, saved to user AppData and Temp locations, then decrypted and executed.
  • Execution chain involved shellcode injection into cmd.exe, dropping/launching a legitimate 7-Zip binary in %temp% (rgb9rast.exe), and injecting the ransomware into that process to perform file encryption and SMB-based network encryption.
  • Abuse of EV code signing highlighted failures in revocation handling: the examined certificate (serial 5927C49718E319C84A7253F7DEB1A420) initially had an ineffective revocation date that allowed earlier signed malware to remain valid until the CA corrected the revocation date.
  • Variants also used Excel XLL (Excel-DNA) and other loaders; ransomware dropper files themselves did not always have EV signatures, indicating possible separation between signer/operator and payload provider.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – Attackers used tailored emails with attachments to lure victims; (‘They use phrases in spear-phishing emails that call for action and invoke a sense of urgency on topics related to health and hotel accommodations.’)
  • [T1204.002] User Execution: Malicious File – Victims opened double-extension attachment files (e.g., “TripAdvisor-Complaint.pdf.htm”) that executed malicious JavaScript and subsequent payloads; (‘the attachment used a double file extension (.pdf.htm) to masquerade itself as a benign .pdf file and conceal the actual .htm payload.’)
  • [T1036] Masquerading – Files used double extensions and misleading names (e.g., .pdf.exe, .jpg.exe) to appear benign and bypass casual inspection; (‘They use double extensions to trick users into thinking that the files they are executing are .pdf or .jpg files rather than .exe files’).
  • [T1059.007] Command and Scripting Interpreter: JavaScript – The compromised .htm executed JavaScript files hosted on samuelelena[.]co to drive further payload retrieval; (‘the user then unknowingly executed the following JavaScript files from samuelelena[.]co’).
  • [T1105] Ingress Tool Transfer – Remote resources (JS, EXE, XLL, PNG) were downloaded from hosting domains (samuelelena[.]co, i.ibb[.]co) to the victim to stage/extract shellcode and payloads; (‘This subsequently downloaded and executed TripAdvisor Complaint-Possible Suspension.exe’).
  • [T1553.002] Subvert Trust Controls: Code Signing – Threat actors used EV code signing to sign info-stealer binaries, abusing trusted certificates; (‘we investigated, the victim initially received a piece of info stealer malware with Extended Validation (EV) code signing certificates’).
  • [T1055] Process Injection – The attacker decrypted shellcode and injected it into cmd.exe and later into a dropped 7-Zip binary (rgb9rast.exe) to run ransomware in a spawned process; (‘TripAdvisor Complaint-Possible Suspension.exe spawned cmd.exe, where the second decrypted shellcode … was injected’).
  • [T1021.002] Remote Services: SMB/Windows Admin Shares – The ransomware performed outbound SMB connections to encrypt files on network shares; (‘performing an outbound Server Message Block (SMB) connection to encrypt files on the network’).
  • [T1486] Data Encrypted for Impact – The final payload encrypted files using a .knight_l extension and dropped ransom notes as part of the impact stage; (‘encrypting files with a .knight_l extension’).

Indicators of Compromise

  • [Domain] delivery/JS hosting – samuelelena[.]co (hosted JS modules used by the .htm attachment), i.ibb[.]co (hosted 2286401330.png used as encrypted shellcode)
  • [File name] malicious droppers & signed binaries – TripAdvisor Complaint-Possible Suspension.exe, TripAdvisor-Complaint.pdf.htm, Additional information about the reservation.exe (EV-signed sample)
  • [Certificate] EV certificate serial – 5927C49718E319C84A7253F7DEB1A420 (used to sign info-stealer samples; revocation date handling discussed)
  • [File path] staged shellcode & temp files – C:UsersAppDataRoamingKYMRCRHEVFUJGZHWNKKDYUUUBCFJVYCNCBMABZLBL, C:UsersAppDataLocalTemp70685a9e
  • [Payload/Process] dropped/legitimate binary used for injection – %temp%rgb9rast.exe (7-Zip standalone used as host for injected ransomware)

The technical infection chain begins with spear-phishing messages containing double-extension attachments (e.g., .pdf.htm). When the victim clicks the embedded “Read Complaint” control, the HTML executes JavaScript loaded from samuelelena[.]co which fetches and launches the dropper (TripAdvisor Complaint-Possible Suspension.exe) or, in variants, an Excel XLL created via Excel-DNA. The dropper retrieves an image (2286401330.png) from i.ibb[.]co, reads the image content as encrypted data, writes an encrypted shellcode blob to AppDataRoaming, decrypts it to produce a secondary shellcode in Temp, and loads it into cmd.exe.

After shellcode execution, the dropper saves a legitimate 7-Zip console binary (rgb9rast.exe) into %temp% and uses process injection to run the ransomware payload (detected as Ransom.Win64.CYCLOPS.A / “Knight”) inside that hosted process. The ransomware drops ransom notes, encrypts local files with a .knight_l extension, and establishes outbound SMB connections to propagate encryption across network shares.

Separately, actors used EV code-signing certificates to sign polymorphic RedLine/Vidar info-stealer samples (dozens of distinct hashes). Abuse of EV certificates and improper revocation date settings allowed earlier-signed malicious modules to remain verifiable until the CA updated the certificate revocation to the issuance date. Ransomware droppers were not always EV-signed, indicating operational separation between signers and payload operators.

Read more: https://www.trendmicro.com/en_us/research/23/i/redline-vidar-first-abuses-ev-certificates.html

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint