Cyble-Blogs-Express-VPN

Redline Stealer being Distributed via Fake Express VPN Sites

Threat Actors using Shortened URLs to infect Users

Deceptive phishing is the preferred way for cybercriminals to distribute malware since luring the victim into clicking a link in a likely phishing SMS or Email is easier. The Threat Actor(TA) usually uses brand impersonation in phishing campaigns to trick the users into believing that they are reputed and legitimate. Cyble Research & Intelligence Labs (CRIL) has continuously monitored phishing campaigns where the Threat Actor (TA) impersonates any genuine entity to distribute malware.

Recently, CRIL identified 6 phishing sites impersonating Express VPN that was distributing Windows malware. The TA could use phishing emails, online ads, SEO attacks, and various other means to propagate links over the internet.

  • express-vpns[.]biz
  • express-vpns[.]cloud
  • express-vpns[.]fun
  • express-vpns[.]online
  • express-vpns[.]pro
  • express-vpns[.]xyz

The phishing site looks very similar to the genuine Express VPN website. The phishing site is well-designed, and the TAs behind this phishing campaign has tried to copy the UI of the genuine site to trick the victim into downloading malware.

Figure 1 – Phishing site impersonating Express VPN

When a user clicks on the “Claim Exclusive Deal” or “Get ExpressVPN” buttons, the phishing site connects to the short Cuttly URL hxxps://cutt[.]ly/h1c4zjK which redirects to the Discord app URL hxxps://cdn[.]discordapp[.]com/attachments/879028824979931206/1046773157253632081/Setup[.]zip that downloads the malicious ZIP file Setup.zip.

The TA has used the short Cuttly URL to mask the actual discord URL, which further reduces the URL visibility to users, increasing the probability of successful infection. Additionally, these phishing sites have a valid SSL certificate, hence the browsers are not blocking sites which also increases the chance of infecting more users.

The phishing site offers a “3 extra months free” deal to the victim while the genuine site currently offers Black Friday with a “12 months + 3 extra months FREE” deal as shown in the figure below.

Figure 2 – Phishing site (left) and genuine site (right) offers

The phishing site is luring users by offering a similar deal as shown in the genuine site. Still, when the user clicks on the “Get ExpressVPN” button, the phishing site will directly download the malicious file, while the genuine site will redirect the user to the order page. The genuine site does not download any zip file on user click. Users should be cautious while visiting any ExpressVPN look-alike domain to avoid downloading malware.

We analyzed the downloaded setup.zip file and identified that the malicious file was a Redline Stealer. The detailed behavior of the stealer is explained below.

Payload Analysis

The setup.zip file contains a file setup.exe with a size of 640MB, and the binary is padded with zeroes at the end, which increases its size drastically. Threat Actors use this technique to bypass antivirus checks because it is difficult for antivirus products to handle large files. The figure below shows the padded part of the binary. 

Figure 3 – Padded Binary

Upon execution, setup.exeinjects the stealer payload into jsc.exe- a JavaScript compiler program signed by Microsoft. The figure below shows the process injection.

Figure 4 – Process Injection

After this, the stealer payload fetches the configuration settings from the Command and Control (C&C) server using the net.tcp URL, “net[.]tcp[:]//109.107.191.169[:]34067/”. These settings specify the actions for collecting data from the victim’s system. The figure below shows the configuration settings fetched by the stealer.

Figure 5 – Fetches Configuration Settings from C&C

After fetching the configuration details, the Redline Stealer steals the data from various applications installed on the victim’s system. It can steal login credentials, autofill data, cookies, and credit card details from all Gecko-based and Chromium-based web browsers. Other applications targeted by Redline stealer include cold crypto wallets, VPN, discord, and steam. The detailed analysis of Redline Stealer can be found here.

Conclusion

Redline Stealer is one of the most prominent InfoStealer. TAs are actively launching multiple campaigns to deliver such malware strains. Recently, we have witnessed an increase in the number of samples padded with junk data to increase their size for evading detection. This technique is also seen implemented in stealers such as Vidar and RecordBreaker.

​Our Recommendations 

​We have listed some of the essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the suggestions given below:  

  • ​ Avoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as YouTube, torrent sites, etc.,  typically contains such malware.   
  • Use strong passwords and enforce multi-factor authentication wherever possible.    
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices.   
  • Use a reputed antivirus and internet security software package on your connected devices, including PC, laptop, and mobile.   
  • Refrain from opening untrusted links and email attachments without first verifying their authenticity.    
  • Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.   
  • Block URLs that could be used to spread the malware, e.g., Torrent/Warez.   
  • Monitor the beacon on the network level to block data exfiltration by malware or TAs.

MITRE ATT&CK® Techniques

​Tactic ​Technique ID ​Technique Name 
​Initial Access T1566 ​Phishing 
​Execution T1204 ​User Execution 
​Credential Access T1555  ​
T1539 
T1552 
​Credentials from Password Stores  ​
Steal Web Session Cookie  ​
Unsecured Credentials 
​Collection T1113 ​Screen Capture 
​Discovery T1087 
T1518 
T1057 
T1124 
T1007 
T1614 
T1120 
​Account Discovery  ​
Software Discovery 
​Process Discovery  ​
System Time Discovery  ​
System Service Discovery  ​
System Location Discovery  ​
Peripheral Device Discovery 
​Command and Control T1571 
T1095 
​Non-Standard Port  ​
Non-Application Layer Protocol 
​Exfiltration T1041 ​Exfiltration Over C2 Channel  ​ 

Indicators of Compromise (IoCs):   

​Indicators ​Indicator type ​Description 
​ net[.]tcp[:]//109.107.191.169[:]34067​URL ​C2 URL 
​650ea9f40f79a23673d8e907c79c350a
b0491e5a077eef6df868e66b6e5d4a594d4a01da 0e3b024a0f4013541cc0771b02878182f0b599945b2ea60342f5c4c24d27e2e0
​MD5
SHA1
SHA256
​SHA-256 
express-vpns[.]biz
express-vpns[.]cloud
express-vpns[.]fun
express-vpns[.]online
express-vpns[.]pro
express-vpns[.]xyz
URLMalicious URL

Recent Blogs

Colombia OT Devices Blog

CRIL investigates the evolving threat landscape of hacktivism leading to cyberattacks on Colombian Critical Infrastructure and Zero-day Sales by Hacktivists.

Read More »
Bl00dy Ransomware Targets Indian University

CRIL analyzes Bl00dy Ransomware’s recent targeting of an Indian University via exploitation of the PaperCut vulnerability.

Read More »
PixBankBlog ATS Blog

Cyble analyzes PixBankBot, a new ATS-based malware that targets Brazilian banks through the popular Pix instant payment platform.

Read More »
Scroll to Top