A significant proportion of stolen credentials being traded on two dark web underground marketplaces were gathered via the RedLine Stealer malware, according to Insikt Group, Recorded Future's cybersecurity research arm.
The RedLine Stealer, first discovered in March 2020, is a part of the info stealer family, a form of malware that once infects a computer and its primary goal is to capture as much user data as possible and then deliver it to the attackers, who often sell it online.
The RedLine Stealer has data gathering features such as the ability to extract login credentials from web browsers, FTP applications, email apps, instant messaging clients, and VPNs.
RedLine can also harvest authentication cookies and card numbers from browsers, chat logs, local files, and cryptocurrency wallet databases.
Since March 2020, the malware has been sold on many underground hacking sites by a coder called REDGlade. After good feedback in a hacking forum thread, unauthorized versions of the RedLine Stealer were distributed on hacker forums a few months later, in August of this year, facilitating it to proliferate to even more threat actors who did not have to pay for it.
But, even before the cracked version was released, RedLine had gained a devoted following. According to a report published last week by Insikt Group, the majority of stolen credentials available for sale on two underground marketplaces originate from computers infected with the RedLine Stealer.
Insikt researchers stated, “Both Amigos Market and Russian Market were identified by Insikt Group (June 2021) posting identical listings regularly that contained the same timestamps, infostealer variants used, geographical locations of affected machines, and ISPs.”
The results of the Insikt team follow similar research by threat intelligence firm KELA from February 2020, which discovered that around 90% of stolen credentials sold on the Genesis Market originated from infections with the AZORult infostealer.
According to the two reports, underground cybercrime marketplaces are fragmented and often operate with their own independent suppliers, just as legal markets have their own choices for particular business partners.
By going after the producers and dealers of these infostealers, this fragmentation opens the path to impairing the supply of multiple underground markets.
In February 2020, a Chrome upgrade (which modified how credentials were saved inside the browser) halted the flow of newly stolen credentials on Genesis Market for months until the AZORult stealer was modified to assist the new format.
