Cyble Research and Intelligence Labs (CRIL) researchers have discovered a phishing site that mimics the popular Convertio site that distributes the Redline Stealer.
The fake site prompts the user to select an input file. After selecting a file to be converted, the user can choose the extension of the output file. After selecting the file types and clicking the "Convert" button, the victim is redirected to the download page.
When the user clicks on the download button, a ZIP archive is downloaded. Instead of the selected file type, a shortcut file is included in the ZIP archive. It downloads 2 BAT files named "2.bat" and "3.bat" and after running it adds "exe" and "bat" extensions. After that, an executable PDF payload file is downloaded.
The malware executable was identified by experts as RedLine Stealer. It targets web browsers, crypto wallets, and apps like FileZilla, Discord, Steam, Telegram, and VPN clients.
In addition, it collects information about the infected system - OS, hardware, running processes, antivirus products, installed programs, and language. The stealer then exfilters all data to the attacker's remote server.
Comments 0