Trend Micro’s Managed XDR team uncovered a spear-phishing campaign targeting hospitality staff that delivers RedLine Stealer via oversized multi-stage payloads. The operation uses Dropbox/Bitly links, a PowerShell-based loader chain, and WMI-based data exfiltration to a C2 server. #RedLineStealer #Ferriteswarmed #Dropbox #Bitly #Outlook #WindowsManagementInstrumentation #TrendMicro #VisionOne #HospitalityIndustry
Keypoints
- Spike in spear-phishing emails observed across hospitality customers, with lure subject lines designed to grab attention.
- Emails rely on shortened Bitly URLs that redirect to Dropbox links hosting malicious payloads.
- Malware samples are unusually large (up to ~929 MB) versus typical infostealers.
- Payload delivery uses a double-extension filename to trick users into executing the file.
- PowerShell-based loader retrieves encrypted payloads and decrypts/decompresses them for execution.
- RedLine Stealer is injected into a legitimate process (aspnet_compiler.exe) and collects system info via WMI before exfiltrating to a C2 server.
MITRE Techniques
- [T1566.002] Spearphishing Link – The article states emails with subject lines and shortened URLs that redirect to Dropbox links containing malware. Quote: “Most of the emails had subject lines that attempt to catch victims’ attention: ‘help,’ ‘requesting for assistance,’ ‘route map,’ ‘this is me from booking.com,’ and ‘booking reservation.’ Some of the emails also had a ‘Re:’ in the subject line.” and “shortened URL that dropped malware. Also used were Bitly-shortened URLs that redirected to Dropbox links that contained malicious files.”
- [T1204.002] User Execution – Quote: “the employee opened the link using outlook.exe, which downloaded a zip file named “Christian-Robinson-Route.zip.” This zip file contained a file with a double extension, “Christian-Robinson-Route.jpg.exe,” which is a tactic that malicious actors use to trick victims into downloading and executing malicious files.”
- [T1059.001] PowerShell – Quote: “Stage 2: The PowerShell script retrieves an encrypted file from hxxp://45.93.201[.]62/docs/ … hxxp://45.93.201[.]114/docs/fzLJerifqJwFtnjbrlnJPNrfnupnYg[.]txt to get another MSIL file named Ferriteswarmed.exe, which will then be AES-decrypted, GZIP-decompressed, and loaded in PowerShell via .NET reflective loading.”
- [T1055.001] Process Injection – Quote: “The RedLine Stealer will then be injected into “aspnet_compiler.exe”.”
- [T1047] Windows Management Instrumentation – Quote: “The RedLine Stealer will collect data … via the Windows Management Instrumentation (WMI).” />
- [T1041] Exfiltration Over C2 Channel – Quote: “The stolen data is sent to its C&C server, 77.73.134[.]13:12785.”
- [T1027] Obfuscated/Compressed Files and Information – Quote: ““Christian-Robinson-Route.jpg.exe” is a cabinet file that contains a large amount of padding. This is an old technique used by malware authors to bypass antivirus detection, sandbox analysis, and YARA rules.”
- [T1036] Masquerading – Quote: “a double extension, ‘Christian-Robinson-Route.jpg.exe,’ which is a tactic that malicious actors use to trick victims into downloading and executing malicious files.”
Indicators of Compromise
- [File name] context – Booking-id669392.jpg.scr, Booking-Maps-id785392.exe, and 14 more hashes
- [SHA-256] context – bf803adb5695fce143062e6f51980d46537167b7a9e0e85ad13a999e35bd0466, 6c5a4a8b7554000d5ab5221c43f25f093ba6a37c6b2511335e002f333c5af6c4, and other hashes
- [Detection name] context – Trojan.Win32.REDLINE.JKRC, Trojan.MSIL.REDLINE.V, and 2 more
- [File size] context – 929.7 MB, 701.6 MB, and 2 more
- [URL] context – hxxp://45.93.201[.]62/docs/, hxxp://45.93.201[.]114/docs/, and 2 more
- [IP address] context – 77.73.134[.]13:12785
- [Process] context – outlook.exe