Threat Actors using Shortened URLs to infect Users
Deceptive phishing is the preferred way for cybercriminals to distribute malware since luring the victim into clicking a link in a likely phishing SMS or Email is easier. The Threat Actor(TA) usually uses brand impersonation in phishing campaigns to trick the users into believing that they are reputed and legitimate. Cyble Research & Intelligence Labs (CRIL) has continuously monitored phishing campaigns where the Threat Actor (TA) impersonates any genuine entity to distribute malware.
Recently, CRIL identified 6 phishing sites impersonating Express VPN that was distributing Windows malware. The TA could use phishing emails, online ads, SEO attacks, and various other means to propagate links over the internet.
The phishing site looks very similar to the genuine Express VPN website. The phishing site is well-designed, and the TAs behind this phishing campaign has tried to copy the UI of the genuine site to trick the victim into downloading malware.
When a user clicks on the “Claim Exclusive Deal” or “Get ExpressVPN” buttons, the phishing site connects to the short Cuttly URL hxxps://cutt[.]ly/h1c4zjK which redirects to the Discord app URL hxxps://cdn[.]discordapp[.]com/attachments/879028824979931206/1046773157253632081/Setup[.]zip that downloads the malicious ZIP file Setup.zip.
The TA has used the short Cuttly URL to mask the actual discord URL, which further reduces the URL visibility to users, increasing the probability of successful infection. Additionally, these phishing sites have a valid SSL certificate, hence the browsers are not blocking sites which also increases the chance of infecting more users.
The phishing site offers a “3 extra months free” deal to the victim while the genuine site currently offers Black Friday with a “12 months + 3 extra months FREE” deal as shown in the figure below.
The phishing site is luring users by offering a similar deal as shown in the genuine site. Still, when the user clicks on the “Get ExpressVPN” button, the phishing site will directly download the malicious file, while the genuine site will redirect the user to the order page. The genuine site does not download any zip file on user click. Users should be cautious while visiting any ExpressVPN look-alike domain to avoid downloading malware.
We analyzed the downloaded setup.zip file and identified that the malicious file was a Redline Stealer. The detailed behavior of the stealer is explained below.
The setup.zip file contains a file setup.exe with a size of 640MB, and the binary is padded with zeroes at the end, which increases its size drastically. Threat Actors use this technique to bypass antivirus checks because it is difficult for antivirus products to handle large files. The figure below shows the padded part of the binary.
After this, the stealer payload fetches the configuration settings from the Command and Control (C&C) server using the net.tcp URL, “net[.]tcp[:]//22.214.171.124[:]34067/”. These settings specify the actions for collecting data from the victim’s system. The figure below shows the configuration settings fetched by the stealer.
After fetching the configuration details, the Redline Stealer steals the data from various applications installed on the victim’s system. It can steal login credentials, autofill data, cookies, and credit card details from all Gecko-based and Chromium-based web browsers. Other applications targeted by Redline stealer include cold crypto wallets, VPN, discord, and steam. The detailed analysis of Redline Stealer can be found here.
Redline Stealer is one of the most prominent InfoStealer. TAs are actively launching multiple campaigns to deliver such malware strains. Recently, we have witnessed an increase in the number of samples padded with junk data to increase their size for evading detection. This technique is also seen implemented in stealers such as Vidar and RecordBreaker.
We have listed some of the essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the suggestions given below:
- Avoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as YouTube, torrent sites, etc., typically contains such malware.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices.
- Use a reputed antivirus and internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.
- Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.
- Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|Credential Access||T1555 |
|Credentials from Password Stores |
Steal Web Session Cookie
|Account Discovery |
System Time Discovery
System Service Discovery
System Location Discovery
Peripheral Device Discovery
|Command and Control||T1571 |
|Non-Standard Port |
Non-Application Layer Protocol
|Exfiltration||T1041||Exfiltration Over C2 Channel |
Indicators of Compromise (IoCs):
| net[.]tcp[:]//126.96.36.199[:]34067||URL||C2 URL|