Redline & Vidar Cyber Threats Adopts EV Certificates, Targets Ransomware

In the recent revelation, threat actors affiliated with RedLine and Vidar information stealing campaigns have exhibited a concerning shift towards ransomware dissemination by incorporating phishing strategies that spread initial payloads secured with Extended Validation (EV) Code Signing certificates.

In lay terms, these threat actors use the same methods to deliver ransomware as they do to distribute the info-stealers.

During the timeframe spanning July to August 2023, more than 30 samples surfaced, all carrying a common thread: they were signed with EV code signing certificates.

These samples were linked to a specific type of info-stealing malware known as TrojanSpy.Win32.VIDAR.SMA. What made the situation more complicated was that – “Each of these samples had unique characteristics, deliberately crafted to evade detection.”

This diversity made it exceptionally challenging to identify and combat these threats effectively. In the context of RedLine and Vedar campaigns, researchers also suspected the person who signed these EV certificates as they may own the physical security token or have access to the computer to which the security token is connected.

In a cyber incident investigated by a leading cybersecurity firm, an unnamed victim fell prey to this two-stage attack. The victim initially received a payload-carrying info-stealing malware signed with an EV Code Signing certificate from multiple campaigns starting around July 10. Subsequently, on August 9, they got hit with ransomware utilizing the same delivery technique that was previously used. The ransomware was deployed after the victim downloaded and opened a fake TripAdvisor-Complaint.pdf.htm attachment.

After opening the attachment and selecting “Read Complaint,” the victim unwittingly executes several JavaScript files, like – jquery.min.js, moment.min.js, client.min.js, module.tripadvisor.js, etc., from the website samuelelena[.]co.

As a result, the victim downloads and executes the file TripAdvisor Complaint-Possible Suspension.exe. An alternative malware version downloads an Excel XLL file (a file created using Excel-DNA, which integrates .NET into Microsoft Excel to execute malware when the file is opened) when the “Read Complaint” button is selected.

The file TripAdvisor Complaint-Possible Suspension.exe connects to URLs such as doi[.]org (which governs the Digital Object Identifier system) and i.ibb[.]co/Gp95Qcw/2286401330.png (an image hosting site). The contents of the 2286401330.png file are read and transformed into an encrypted shellcode, which is then saved in a file path such as C:\Users\<username>\AppData\Roaming\KYMRCRHEVFUJGZHWNKKD\YUUUBCFJVYCNCBMABZLBL. This shellcode is then decrypted to generate another shellcode, which is saved in a file path such as C:\Users\<username>\AppData\Local\Temp\70685a9e.

The malware then spawns cmd.exe and injects the second decrypted shellcode (70685a9e) into it. Following this, cmd.exe drops a legitimate standalone console application called rgb9rast.exe in %temp% and launches it. Eventually, the ransomware payload identified as Ransom.Win64.CYCLOPS.A is injected into rgb9rast.exe.

To carry out such a hybrid (two-stage) attack, RedLine and Vidar operators utilize sly tactics that prey on human psychology and exploit common user behaviors. O

ne such tactic is – “Spear Phishing Emails,” crafted to urge immediate action, often related to health or finances. They also employ “Double Extension” files, hiding malicious EXE files as harmless PDFs or JPEGs. Additionally, they use “LNK files” to execute their malicious payloads, evading detection discreetly.

Conclusion

In order to protect yourself from such attacks – refrain from downloading files, programs, software, etc., from unverified sources or websites, install a multilayered protection system for your individual and enterprise systems, use strong passwords, keep software updated, install antivirus,  and regularly back up your data.