Threat Research

Cyble – Redline Stealer Being Distributed Via Fake Express VPN Sites

Securonix

CRIL from Cyble analyzed phishing campaigns that impersonate ExpressVPN to distribute the Redline Stealer, delivered through fake ExpressVPN sites. Attackers use shortened URLs with valid SSL to lure users, download a malicious ZIP, and then the payload is injected and used to steal data from browsers and other apps. #ExpressVPN #RedlineStealer #CRIL #Cyble #CuttLy #Discord #Phishing #Vidar #RecordBreaker

Keypoints

  • CRIL identifies phishing campaigns that impersonate ExpressVPN to spread Windows malware (Redline Stealer).
  • Phishing campaigns employ multiple channels (phishing emails, online ads, and SEO) and six look‑alike domains to host fake ExpressVPN sites.
  • When users click the call‑to‑action, the site chains a short URL that redirects to a Discord attachment URL to download Setup.zip containing the malware.
  • The short URL and a valid SSL certificate increase trust and the likelihood of infection.
  • The downloaded Setup.zip contains setup.exe padded with zeros to evade antivirus detection and injects the stealer into jsc.exe (a Microsoft‑signed program).
  • Redline Stealer fetches configuration from a C2 server at net.tcp://109.107.191.169:34067/ and then steals data from browsers and other apps (wallets, VPN, Discord, Steam).
  • Conclusion: Redline Stealer is a prominent info‑stealer, with campaigns using large padded binaries and parallels to other steals like Vidar and RecordBreaker.

MITRE Techniques

  • [T1566] Phishing – The campaign uses look‑alike ExpressVPN sites and shortened links to lure victims. Quote: ‘phishing sites impersonating Express VPN…’
  • [T1204] User Execution – Victims click the CTA and trigger the download of Setup.zip. Quote: ‘When a user clicks on the “Get ExpressVPN” button, the phishing site will directly download the malicious file’
  • [T1539] Steal Web Session Cookie – The stealer targets cookies stored by browsers. Quote: ‘cookies’ (Stolen cookies to facilitate access)
  • [T1555] Credentials from Password Stores – The stealer collects login credentials, autofill data, cookies, and credit card details. Quote: ‘steals login credentials, autofill data, cookies, and credit card details from all Gecko-based and Chromium-based web browsers’
  • [T1095] Non-Application Layer Protocol – The C2 communication uses non‑application layer protocol patterns. Quote: ‘net[.]tcp[:]//109.107.191.169[:]34067/’
  • [T1571] Non-Standard Port – The malware communicates with C2 over a non‑standard port. Quote: ‘net[.]tcp[:]//109.107.191.169[:]34067/’
  • [T1041] Exfiltration Over C2 Channel – The stealer exfiltrates data via the C2 channel by collecting data from various apps. Quote: ‘The Redline Stealer steals the data from various applications installed on the victim’s system’
  • [T1055] Process Injection – setup.exe injects the stealer payload into jsc.exe. Quote: ‘setup.exe injects the stealer payload into jsc.exe’

Indicators of Compromise

  • [URL] Malicious Domain – express-vpns.biz, express-vpns.cloud, express-vpns.fun, express-vpns.online, express-vpns.pro, express-vpns.xyz
  • [URL] Shortened URL – hxxps://cutt[.]ly/h1c4zjK
  • [URL] C2 URL – net[.]tcp[:]//109.107.191.169[:]34067/
  • [FileName] Setup.zip – downloaded payload
  • [Hash] MD5: 650ea9f40f79a23673d8e907c79c350a; SHA1: b0491e5a077eef6df868e66b6e5d4a594d4a01da; SHA256: 0e3b024a0f4013541cc0771b02878182f0b599945b2ea60342f5c4c24d27e2e0

Read more: https://blog.cyble.com/2022/11/30/redline-stealer-being-distributed-via-fake-express-vpn-sites/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint