The RedLine malware steals information from popular internet browsers such as Chrome, Edge, and Opera, highlighting why saving passwords in browsers is a terrible idea.
This malware is a commodity information-stealer that can be obtained on cyber-crime websites for around $200 and deployed with very little understanding or effort.
A new analysis by AhnLab ASEC, on the other hand, cautions that the ease of using the auto-login function on web browsers has become a significant security problem, impacting both enterprises and individuals.
In one case given by the analysts, a distant employee handed over VPN account credentials to RedLine Stealer actors, who utilized the information three months later to attack the company's network.
Whilst an anti-malware program was installed on the affected computer, it was unable to identify and eradicate RedLine Stealer. The malware attacks the 'Login Data' file, which is found on all Chromium-based web browsers and contains an SQLite database containing usernames and passwords.
While browser password stores, that are also used by Chromium-based browsers, are secured, information-stealing malware can programmatically decode the store as long as they are logged in as the same user. Because RedLine operates as an infected user, it can collect passwords from their browser profile.
"Google Chrome encrypts the password with the help of CryptProtectData function, built into Windows. Now while this can be a very secure function using a triple-DES algorithm and creating user-specific keys to encrypt the data, it can still be decrypted as long as you are logged into the same account as the user who encrypted it," explains the author of the 'chrome_password_grabber' project.
"The CryptProtectData function has a twin, who does the opposite to it; CryptUnprotectData, which... well you guessed it, decrypts the data. And obviously, this is going to be very useful in trying to decrypt the stored passwords."
Even if users decline to save their credentials in the browser, the password management system will nonetheless add an entry indicating that the specific site is "blacklisted."
While the malicious actors may not have had the credentials for this "blacklisted" account, it does inform them of its existence, allowing them to undertake credential stuffing or social engineering/phishing attacks.
Threat actors either utilize the obtained credentials in subsequent assaults or attempt to monetize them by selling them on darknet marketplaces.
The emergence of the '2easy' dark web marketplace, where 50% of all traded data was taken via this software, is an illustration of how popular RedLine has become among hackers.
