Cyber Security Threat Summary:
Researchers from Satori Threat Intelligence discovered a new version of the ScrubCrypt obfuscation tool being used to target organizations with the RedLine stealer malware. This latest version of ScrubCrypt is for sale on dark web marketplaces, and is being used in account takeover and fraud attacks.
ScrubCrypt is a tool that allows threat actors to avoid detection by converting executable files into batch files. The website currently selling the malware is hosted in Russia and is out of reach of law enforcement agencies in the US and EU.
Security Officer Comments:
To avoid firewall defenses that block geolocation, the command-and-control server for RedLine Stealer is hosted using American data center proxies and virtual servers. Using social engineering, threat actors will trick victims into downloading a .bat file to their device. This .bat file carries a base64-encoded payload and is peppered throughout with nonsensical repeating strings to obfuscate the payload. In the next step of the attack, the threat actors will deobfuscate this payload and retrieve the RedLine Stealer Windows executable payload. It should be noted that this tool can also be used to deliver other types of malware.
RedLine stealer is a prominent piece of malware designed to compromise accounts by stealing cookies, browser login data, and other locally-stored information. Using this stolen data, threat actors can carry out account takeover and fraud attacks by logging in with the stolen cookies and credentials.
While various methods have been used to install RedLine Stealer on victim machines, this was the first time the researchers from Santori Intelligence has seen ScrubCrypt as part of the attack chain.
It recommended that organizations, particularly those with direct/private messaging capabilities native to their user platforms, take the following actions to mitigate this threat:
- Deploy protections that detect and mitigate cookie-stealing attacks
- Use tools that can flag users with credentials leaked or stolen in other threats
- Force compromised users to change their user credentials and confirm identity through two factor authentication (2FA)
- Stay up-to-date with threat research detailing evolving attack techniques