Stealer Thugs Behind RedLine & Vidar Pivot to Ransomware

  /     /     /  
Publicated : 23/11/2024   Category : security


Stealer Thugs Behind RedLine & Vidar Pivot to Ransomware


In a notable shift in strategy, the threat actors are abusing code-signing certificates to spread a double whammy of infostealers and ransomware payloads.



Two cybercriminal groups well-established in the business of spreading infostealers are diversifying their capabilities, abusing
code-signing certificates
to spread stealer malware, and then pivoting to ransomware through the same delivery channels.
The threat actors responsible for the prolific
RedLine
and
Vidar

stealer malwares
 are now distributing ransomware payloads through phishing campaigns that spread initial payloads signed with Extended Validation (EV) certifications, allowing them to slip past email security, researchers from
TrendMicro revealed in a blog post
on Sept. 13.
[Their actions suggest] that the threat actors are streamlining operations by making their techniques multipurpose, Trend Micro researchers Hitomi Kimura, Ryan Soliven, Ricardo Valdez III, Nusrath Iqra, and Ryan Maglaque wrote in the post.
They investigated a specific case in which a victim initially received infostealer malware with EV code-signing certificates, but then later via the same route began receiving ransomware payloads. EV code-signing certificates are issued to organizations that are verified to have legal and physical existence in each country, requiring an issuance process with extended identity verification compared to regular code-signing certificates. They also entail private key generation where a hardware token is required.
In all, Trend Micro researchers discovered 30 EV code-signed samples used from July to August this year related to the specific victim.
The infostealer, detected as TrojanSpy.Win32.VIDAR.SMA, was polymorphous, with each sample having a different hash, they wrote in the post.
The tactic is the first time a single threat actor was observed with this many samples, the researchers noted, adding that they are unsure as to how the threat actor accessed the private key. However, attackers have been known to abuse code-signing certificates by using stolen certificates to pass malware off as legitimate software, slipping by security protections.
Authorities, however, have taken notice of the security gaps in the technology. In fact, the Certificate Authority/Browser Forum (CABF) — a public key infrastructure (PKI) industry group — made hardware key generation mandatory for even regular code-signing
certificates
in an effort to address private key protection, according to Trend Micro. This makes it more difficult to steal private keys and certificates from computers since they cannot be copied as software data.
Trend Micros investigation into the recent incident however revealed that the code signing of the infostealer was not invalidated because the revocation date was set on Aug. 3, the date that Trend Micro reported the abuse, rather than the samples signing date. The malware sample was signed on July 17, earlier than the revocation date set, and thus continued to have a valid signature verification. 
The researchers contacted the certificate authority (CA) to explain how to mitigate such scenarios, advising that the certificate should be revoked using the issuance date as the revocation date instead so as to invalidate all code signing using that certificate. In response, the CA processed the certificate with March 21 as the revocation date, and all public observed sample signatures beyond March 21 were invalidated, according to Trend Micro.
The campaign investigated began with socially engineered spear-phishing emails that demanded that the user in question take action with a sense of urgency, with typical topics used relating to health and hotel accommodations.
In July, the victim began receiving
infostealer
payloads as a result of a series of campaigns. Then, on Aug. 9, the victim received a ransomware payload after being tricked into downloading and opening a fake TripAdvisor complaint email attachment that used a double file extension (.pdf.htm) to masquerade itself as a benign .pdf file. It concealed the actual .htm payload, the researchers wrote.
The payload executed a series of processes that eventually led to a ransomware payload detected as Ransom.Win64.CYCLOPS being deployed. Unlike the samples of the infostealer, however, the files used to drop the ransomware payload did not have EV certificates, though the payloads originated from the same threat actor via the same delivery method. 
Payloads used LNK files that contain the command to execute the malicious file to help bypass detection, the researchers wrote. Despite Google Drives built-in protocols, which automatically evaluate files to guard systems against malware, malicious actors manage to transfer malicious files through the file storage service.
Trend Micro advised that individuals and organizations whove been targeted by
infostealing campaigns
should now be cautious of potential ransomware attacks in the future, as findings suggest that threat actors are becoming more efficient in maximizing their techniques for different purposes and cybercrimes, the researchers wrote.
Further, the findings underline the importance of configuring and updating attack surface protections that remove malicious items before they even reach users. Early detection and mitigation can even prevent threat actors from harvesting enough information that that they can leverage for a ransomware attack later on, they noted. 
Finally, as always, users also should avoid or refrain from downloading files, programs, and software from unverified sources and websites.

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Stealer Thugs Behind RedLine & Vidar Pivot to Ransomware