RedLine info-stealer campaign targets Russian businesses through pirated corporate software

An ongoing RedLine information-stealing campaign is targeting Russian businesses using pirated corporate software.

Since January 2024, Russian businesses using unlicensed software have been targeted by an ongoing RedLine info-stealer campaign. Pirated software is distributed via Russian online forums, attackers disguise the malware as a tool to bypass licensing for business automation software.

Threat actors target business process automation users by distributing a malicious version of the HPDxLIB activator. Unlike the legitimate C++ version with a valid certificate, the malicious version is built in .NET and uses a self-signed certificate.

“Users of unlicensed copies of corporate software for automating business processes faced an attack in which attackers distributed malicious activators on accounting forums.” reads the report published by Kaspersky. “The detected samples were versions of the well-known HPDxLIB activator, which contained the RedLine stealer, hidden in a very unusual way: the activator library was obfuscated using .NET Reactor, and the malicious code was compressed and encrypted in several layers. “

Threat actors publish links to malicious activators on specialized forums about business ownership and accounting. The researchers also observed that the operators provided detailed instructions on disabling security software to run the activator, effectively evading detection.

Attackers trick users into replacing the legitimate techsys.dll library with a malicious one included in the activator. Then upon executing the patched software, it loads the malicious library via the legitimate 1cv8.exe process, which runs the stealer. This method exploits user trust rather than vulnerabilities in the corporate software.

The RedLine stealer is an info-stealing malware written in .NET that has been active since at least early 2020. The malware can steal sensitive information from the infected systems, including credentials, cookies, browser history, credit card data, and crypto-wallets. The info-stealer is considered a commodity malware that is available through malware-as-a-service model.

“The attackers behind this campaign are clearly interested in gaining access to Russian-speaking entrepreneurs who use software to automate business processes. It cannot be said that attacks through dubious solutions that supposedly allow bypassing license checks are something exceptional. But the fact that they are targeting businesses rather than private users seems rather unusual. Another unusual detail is how sophisticatedly the attackers disguised the stealer implant.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Redline)