Triskele Labs Blog

What is Redline Stealer and how did it compromise my passwords?

Written by Nick Morgan | Feb 14, 2023 5:38:48 AM

Malicious software (otherwise known as malware) is a common part of running an organisational IT environment in 2023. Every IT team - and now boards, are starting to understand that there must be controls in place to protect the network against malware, which could lead to a compromise such as ransomware and/or data exfiltration. Controls such as Endpoint Detection and Response (EDR) is implemented on the companies machines, logs are shipped to a Security Information Event Management (SIEM) solution, tools are monitored around the clock by a Managed Security Services Provider (MSSP) and staff are regularly trained with simulated phishing training and awareness. The layers of controls are in place to provide a Defence in Depth and we do not need to worry about users home machines, right? Wrong!

First spotted in March 2020, Redline Stealer is a piece of malware that specifically targets end users. Distributed through compromised software downloads, phishing, and drive by downloads, Redline Stealer targets insecure passwords and crypto wallets. In addition, Redline Stealer can be utilised by a Threat Actor to gather system information such as IP address, usernames, keyboard layout, installed security solutions and even more. Even worse, it can be utilised to distribute other malware, such as ransomware.

So - why does this considerably impact users home machines? One of the key areas that Redline Stealer targets is passwords stored in browsers including Chrome, Edge and Mozilla. A lot of users rely on corporate IT to ensure security controls are implemented on their work machines, and do not consider implementing the same level of controls on their home machines. Should the user machine be compromised by Redline Stealer, there is the potential that their credentials are compromised, including credentials used for work purposes. These credentials can either be used to conduct a further attack, or sold on Dark Web forums by what is known as an Initial Access Broker. 

The Triskele Labs Digital Forensics and Incident Response (DFIR) have recently conducted an investigation where Redline Stealer was observed on a user's machine. The credentials stolen from their Internet browser were then utilised to login to the Virtual Private Network (VPN) that was not protected with Multifactor Authentication (MFA). Within 35 minutes, the entirety of the network was impacted with ransomware and the organisation ground to a stand-still for a week while the IT team tried to recover, and the DFIR team identified the compromise date to advise when the safe restore point was. All of this was caused through a phishing email that contained Redline Stealer, and the Threat Actor was off. 

So, how do you protect your organisation from Redline Stealer?

  • Implement MFA on all externally facing systems that provide access to users.
  • Deploy policies internally that restrict the ability to save credentials in browsers.
  • Conduct awareness training (including simulated phishing) to test user knowledge.
  • Make users aware of malware such as Redline Stealer and encourage them to deploy an endpoint security solution on home devices and not to store credentials in browsers.
  • Utilise a password safe within the corporate environment, preferably one that provides a license for personal user at home.
  • Conduct simulated exercises such as Red Teaming and make the user of a tool such as Redline Stealer a scenario to ensure your controls adequately protect your network. 

Threat Actors are finding more and more ways to compromise our networks, and it is imperative a Defence in Depth approach is taken across people, process and technology. For any further information, reach out to the Triskele Labs team.