Fortinet has uncovered an effort to spread RedLine malware through news about the COVID-19 Omicron strain. FortiGuard Labs researchers said the people behind the malware are trying to use the ongoing pandemic to steal information and credentials.
RedLine is a relatively common malware that steals all of the usernames and passwords it finds throughout an infected system. Fortinet said the RedLine Stealer variant in this instance steals stored credentials for VPN applications like NordVPN, OpenVPN, and ProtonVPN.
“FortiGuard Labs recently came across a curiously named file, ‘Omicron Stats.exe’ which turned out to be a variant of RedLine Stealer malware. While we have not been able to identify the infection vector for this particular variant, we believe that it is being distributed via email,” the company said in its report, noting that the issue affects Windows users.
“Based on the information collected by FortiGuard Labs, potential victims of this RedLine Stealer variant are spread across 12 countries. This indicates that this is a broad-brush attack and that the threat actors did not target specific organizations or individuals.”
Researchers at multiple cybersecurity companies have said use of RedLine Stealer started around March of 2020. It quickly took over as one of the most popular infostealers available on underground digital markets, according to Fortinet.
The researchers said cybercriminals typically use it to steal information and sell it on dark net marketplaces “for as low as $10 dollars per set of user credentials.” The credentials range from those used for accounts on online payment portals, e-banking services, and file-sharing tools to those used for social networking platforms.
“The malware emerged just as the world began to deal with increased numbers of COVID patients and the growing fear and uncertainty that can cause people to lower their guard, which may have prompted its developers to use COVID as its lure,” Fortinet explained.
Fortinet noted that hackers have previously used COVID-themed emails to spread RedLine Stealer variants, and the malware was embedded in a document designed to be opened by a victim.
Last month, data breach tracker Have I Been Pwned added 441,657 unique email addresses to its database after cybersecurity researcher Bob Diachenko discovered RedLine Stealer malware logs with more than six million records exposed online.
Cybersecurity firm Proofpoint said in a blog post in 2020 that RedLine is available for sale on Russian underground forums, with different versions costing $150 (lite) or $200 (pro).