Skip to content
Home » Blog » RedLine making a b-line to your stored passwords

RedLine making a b-line to your stored passwords

The RedLine information-stealing malware targets popular web browsers such as Chrome, Edge, and Opera. We tell clients to stop storing their passwords in browsers and to use a Locker. AhnLab ASEC warns that using the auto-login to get on to your sites is becoming a very large security problem affecting both organizations and individuals. AhnLab ASEC showed a remote employee lost VPN account credentials to RedLine Password Stealer. The actors used the information to hack the company’s network three months later. The employee’s computer had an anti-malware installed, RedLine Stealer was able to bypass the scans. AhnLab ASEC looks for an SQLite database where usernames and passwords are saved or the ‘Login Data’ file found on all Chromium-based web browsers.

Credentials stored in a database file
Source: ASEC

To make it worst malware can be purchased for about $200 on cyber-crime forums and be deployed by novice script kitties or your mom with her subscription to Reddit.

The part below I gathered from an article posted by Bill Toulas of Bleepingcomputers

While browser password stores are encrypted, such as those used by Chromium-based browsers, information-stealing malware can programatically decrypt the store as long as they are logged in as the same user. As RedLine runs as the user who was infected, it will be able to extract the passwords from their browser profile.

“Google Chrome encrypt the password with the help of CryptProtectData function, built into Windows. Now while this can be a very secure function using a triple-DES algorithm and creating user-specific keys to encrypt the data, it can still be decrypted as long as you are logged into the same account as the user who encrypted it,” explains the author of the ‘chrome_password_grabber’ project.

“The CryptProtectData function has a twin, who does the opposite to it; CryptUnprotectData, which… well you guessed it, decrypts the data. And obviously this is going to be very useful in trying to decrypt the stored passwords.”

Even when users refuse to store their credentials on the browser, the password management system will still add an entry to indicate that the particular website is “blacklisted.”

While the threat actor may not have the passwords for this “blacklisted” account, it does tell them the account exists, allowing them to perform credential stuffing or social engineering/phishing attacks.

Credentials stored in a database file
Source: ASEC

After collecting the stolen credentials, threat actors either use them in further attacks or attempt to monetize them by selling them on dark web marketplaces.

An example of how widely popular RedLine has become for hackers is the rise of the ‘2easy’ dark web marketplace, where half of all the sold data sold was stolen using this malware.

Another recent case of RedLine distribution is a website contact form spamming campaign that uses Excel XLL files that download and install the password-stealing malware.

It’s like RedLine is everywhere right now, and the main reason behind this is its effectiveness in exploiting a widely available security gap that modern web browsers refuse to address.

No longer in the voice of Bill Toulas, how do we stop this?

Cy-Quest Global offers a password locker. By using this you no longer need to store your login credentials through your web browser. Use multi-factor authentication wherever this is available, this can save you a nightmare.  As suggested by many security experts, use a different password for all your sensitive websites like bank and your children’s school sites. Enter you credentials manually. Finally, activate multi-factor authentication wherever this is available, as this additional step can save you from account take-over incidents even if your credentials have been compromised.

21 thoughts on “RedLine making a b-line to your stored passwords”

  1. I know this if off topic but I’m looking into starting my own weblog and was wondering what all is needed to get setup? I’m assuming having a blog like yours would cost a pretty penny? I’m not very internet smart so I’m not 100 positive. Any recommendations or advice would be greatly appreciated. Kudos

  2. Also a thing to mention is that an online business administration training is designed for college students to be able to easily proceed to bachelors degree programs. The 90 credit college degree meets the lower bachelor college degree requirements when you earn your current associate of arts in BA online, you should have access to the most up-to-date technologies on this field. Some reasons why students would like to get their associate degree in business is because they may be interested in the field and want to receive the general education and learning necessary prior to jumping right bachelor diploma program. Many thanks for the tips you actually provide within your blog.

  3. Great beat ! I would like to apprentice while you amend your web site, how could i subscribe for a blog site? The account helped me a acceptable deal. I had been a little bit acquainted of this your broadcast provided bright clear concept

  4. We absolutely love your blog and find the majority of your post’s to be just what I’m looking for. Would you offer guest writers to write content for you? I wouldn’t mind composing a post or elaborating on a number of the subjects you write with regards to here. Again, awesome web site!

Leave a Reply

Your email address will not be published. Required fields are marked *