Researchers Find Fake Express VPN Sites Spreading Redline Stealer

Researchers at Cyble Research & Intelligence Labs (CRIL) discovered a trail of Redline Stealer being distributed via fake VPN sites. The campaign’s threat actors seem to be using phishing as their go-to method for targeting users with a fake website that impersonates Express VPN, a VPN server offered by the British Virgin Islands-registered company Express Technologies Ltd.  

The researchers found traces of Redline Stealer in their regular threat-hunting exercises, noting that six phishing sites were impersonating Express VPN“ and continuously spreading Windows malware to any potential victim visiting the fraudulent website.  

In this campaign, the threat actors used sites that mimicked the genuine Express VPN website and shared a link to victims via email, advertisement, and SEO.  

Threat actors spreading Redline Stealer 

According to CRIL, the threat actors behind the campaign “have tried to copy the UI” of the website, including the colors, fonts, and overall design and feel. Usually, hackers do this to make the victim believe they are using a genuine website and ultimately lure them into downloading the modded/malware-injected software onto their devices.  

In this case, the threat actor was using Redline Stealer, a popular malware on the underground forums that go for sale as a standalone for as low as $100/$150, depending on the version. The developers behind the malware also offer subscription models starting at a basic plan for $100/month.  

For the uninitiated, the malware is pretty capable and can harvest information from browsers, and steal saved credentials, autocomplete data, and credit card information. A more recent version of the malware can steal cryptocurrency, upload and download files, execute commands, and periodically send back information about the infected computer. 

What happens after the infection? 

Since the user can easily be persuaded into downloading the software using social engineering and other front-end tactics, the threat actor would want their victims to click on a particular link (phishing link) that takes the user, in this campaign, to a Discord app URL hxxps://cdn[.]discordapp[.]com/attachments/879028824979931206/1046773157253632081/Setup[.]zip.  

Here, the threat actors pursued the victim to download the malicious ZIP file Setup.zip while masquerading it as an official Express VPN software. To mask the actual Discord URL, the threat actors used the URL shortener Cuttly, which diminishes any possibility of finding the absolute URL. Moreover, the fake websites also used SSL certificates, making them more believable to the victims.  

Once downloaded, the setup.zip file eventually turns out to be Redline Stealer. The setup.exe file was 640MB and was capable of bypassing antivirus checks and was able to inject the stealer payload into jsc.exe. Once installed, the stealer starts receiving configuration settings from the Command and Control (C&C) server, which the threat actor is using to operate the malware.