Threat actors distributing infostealers are gaining momentum by targeting victims seeking to illegally download pirated software. The analysis covers two infection chains—Case 1 with RedLine Stealer and Case 2 with RecordBreaker Stealer—highlighting evasion techniques, loader behavior, and extensive data theft from browsers and wallet extensions.
#RedLineStealer #RecordBreaker #Themida #VMProtect #MPRESS #ZscalerThreatLabz #Zscaler
#RedLineStealer #RecordBreaker #Themida #VMProtect #MPRESS #ZscalerThreatLabz #Zscaler
Keypoints
- Threat campaigns distribute infostealers via fake pirated software download sites and redirects, aiming at victims seeking illegal software.
- Case 1 uses layered delivery: redirects to a malicious site hosting thousands of zip archives, then a padded, password‑protected zip leads to a large executable that is dumped down to 78 KB and launched.
- The loader in Case 1 downloads a jpg file from a remote server that is actually a DLL after reverse‑ordering, then loads a RedLine Stealer payload to steal browser data and crypto wallets.
- The final RedLine Stealer in Case 1 targets stored browser passwords, autofill data, and cryptocurrency wallets, risking financial loss and identity theft.
- Case 2 distributes RecordBreaker Stealer without relying on typical file hosting by using packers (Themida/VMProtect/MPRESS); includes anti‑debugging and C2 communications.
- RecordBreaker Hunter/Breaker steals browser extension data (numerous wallet extensions) and can capture screenshots; it reports system and installed software info back to C2 and exfiltrates cookies.
- The campaigns rely on malicious IPs, NRD domains, and fake shareware domains, with a broad set of IOCs listed to facilitate detection and blocking.
MITRE Techniques
- [T1189] Drive-by Compromise – ‘When users visit fake shareware sites and click to download, they immediately experience multiple redirects that obfuscate the process for detection by search engines, scanners, and victims…’
- [T1105] Ingress Tool Transfer – ‘the loader connects to the remote server requesting a jpg file named …windows.decoder.manager.form.fallout15_Uwifqzjw.jpg… The downloaded jpg file looks like it is encrypted but opening it with an editor reveals that the contents are simply stored in reverse order and once the content is reversed by the malicious program, it transforms into a DLL file.’
- [T1027.005] Software Packing – ‘malware authors typically use packers and protectors for compression and to wrap the software in an extra layer of disguised code to evade detection.’
- [T1497.001] Virtualization/Sandbox Evasion – ‘Anti-VM and Anti-Debug checks.’
- [T1059.001] PowerShell – ‘The decoding PowerShell command looks like this: (Start-Sleep-s10;Remove-Item-Path”C:UsersUserDesktopSetupfinal.exe”-Force)’.
- [T1055] Process Injection – ‘The DLL payload… is obfuscated with a crypter and compiled into memory by the loader. The loader loads the DLL and replaces it with the current thread context.’
- [T1071.001] Web Protocols – ‘After execution, the malware communicates with the C2 server and sends back the machine ID and config ID before downloading its required libraries from the remote server.’
Indicators of Compromise
- [IP] Malicious IPs – 45.150.67.175, 94.158.244.119, and other listed addresses
- [Domain] Fake shareware/NRD domains – fullcrack4u.com, activationskey.org, file-store2.xyz, seostar2.xyz
- [File] Sample DLLs/EXEs referenced in campaigns – nss3.dll, msvcp140.dll, vcruntime140.dll, mozglue.dll, softokn3.dll, sqlite3.dll, nssdbm3.dll