Fortinet warns of cybercriminals using Omicron variant news to distribute RedLine stealer | ZDNet

Fortinet has uncovered an effort to spread the RedLine malware by taking advantage of concern about the Omicron COVID-19 strain. FortiGuard Labs researchers said the people behind the malware are trying to use the ongoing COVID crisis to steal information and credentials. 

Redline is a relatively common malware that steals all the usernames and passwords it finds on an infected system. Fortinet said the RedLine Stealer variants they saw in this instance steals stored credentials for VPN applications like NordVPN, OpenVPN and ProtonVPN. 

“Based on the information collected by FortiGuard Labs, potential victims of this RedLine Stealer variant are spread across 12 countries. This indicates that this is a broad-brush attack and that the threat actors did not target specific organizations or individuals,” the company said in its report, noting that the issue affects Windows users.

“FortiGuard Labs recently came across a curiously named file, ‘Omicron Stats.exe’ which turned out to be a variant of Redline Stealer malware. While we have not been able to identify the infection vector for this particular variant, we believe that it is being distributed via email.”

Researchers at multiple cybersecurity companies have said use of RedLine Stealer started around March of 2020, but it quickly took over as one of the most popular infostealers available on underground digital markets, according to Fortinet. 

The researchers said cybercriminals typically use it to steal information and sell it on dark net marketplaces “for as low as $10 dollars per set of user credentials.” The credentials range from those used for accounts on online payment portals, e-banking services and file-sharing tools to those used for social networking platforms. 

“The malware emerged just as the world began to deal with increased numbers of COVID patients and the growing fear and uncertainty that can cause people to lower their guard, which may have prompted its developers to use COVID as its lure,” Fortinet explained. 

Fortinet noted that hackers have previously used COVID-themed emails to spread RedLine Stealer variants and that the malware is embedded in a document designed to be opened by a victim. 

Last month, data breach tracker Have I Been Pwned added 441,657 unique email addresses to its database after cybersecurity researcher Bob Diachenko discovered Redline Stealer malware logs with more than 6 million records exposed online.

Cybersecurity firm Proofpoint said in a blog post in 2020 that the RedLine password stealer is available for sale on Russian underground forums, with different versions costing $150, $200 or $100 per month.