RedLine malware is the main credential stealer in the last 6 months


RedLine malware has been used to steal more than 170 million passwords over the past six months, making it the most notorious credential thief of that period, according to a study published March 12.

Red line was used in half of all cyber incidents involving stolen passwords (47%) and topped the closest thief (Vidar) more than twice. Vidar, according to the report, was used to steal more than 65 million passwords, or 17 percent. Malware comes third Raccoon Thief linked to more than 42 million stolen passwords, or 11.7%. Meta, Cryptbot, Risepro, Stealc, Azorult, Aurora, and Dark crystal malware strains round out the top 10 credential stealers.

The data was extracted from lists of known breached passwords by KrakenLabs and password management company Specopsboth owned by parent company Outpost24.

(Special forces)

Over the past six months, KrakenLabs analyzed 359 million stolen passwords to uncover the most common malware used to steal credentials, while Specops said its database of breached passwords and compromise contains over 4 billion unique passwords.

Discovered in March 2020, RedLine malware is used to export personal information such as credentials, cryptocurrency wallets, and financial data to its command and control infrastructure. Its payload can also deliver cryptocurrency miner software on the victim’s machine. Specops reported that phishing campaigns were most often used to distribute major thief malware, as well as compromised Google or YouTube accounts.

Vidar is an evolved version of Arkei Stealer, according to Specops, and is distributed in phishing campaigns as Microsoft Compiled HTML Help (CHM) files. Vidar was also distributed by the PPI PrivateLoader malware service, the Fallout Exploit Kit and Colibri loader, and the GHOSTPULSE malware loader.

Raccoon Stealer is malware-as-a-service that allows cybercriminals to rent the thief on a monthly basis.

As Specops noted, stolen credentials can be used to carry out other attacks, but more often than not, they are sold on the dark web so other attackers can use the credentials to gain access to networks.

The FBI reported that its Internet Crime Complaint Center received a record 880,418 complaints in 2023, an increase of almost 10% from the previous year, and includes crimes such as investment fraud and email compromise scams professionals, as well as ransomware and cryptocurrency scams.

Likewise, the Identity Theft Resource Center reported in January that the number of events in which data was compromised increased by a record 78% in 2,203 compared to the previous year, although the number of victims fell by 16%.

Darren James, senior product manager at Specops, said it was interesting that RedLine malware was responsible for almost half of the stolen passwords analyzed by the company, adding that his report also highlights the number of words passwords for sale on the dark web.

James cautioned users not to reuse passwords, adding that it was essential that security professionals continually scan Active Directory for breached or compromised passwords.

Leave a comment