RedLine Malware
Cybersecurity

 Storing passwords in the browser allows RedLine Malware to breach private VPN

Marty Tatro
by May 24, 2022

Cybersecurity has become much more challenging with the push to move workers to remote locations during this pandemic. What was secured behind the protections of firewalls and network perimeters at the organization’s physical sites is now being accessed from potentially insecure points worldwide. Any mistakes made can create massive headaches for you and your organization.

What happened?

Yup, once again, someone has been hacked by someone else, and many folks have email accounts and access information compromised. Over 441,000 folks. Their accounts were exposed via the saved passwords and account information in a browser.

On January 3, 2022, a company, which hasn’t been named, provided its remote users with a remote virtual private network (VPN) access to company resources. The problem? One employee saved the access password information for the VPN in their browser’s memory (Fripp). This is not a good idea for most folks, even with the most robust browsers with the best security settings.

How did it happen?

The VPN user’s browser was breached using malware known as “Redline Stealer.” This particular malware is a bit of a problem for less secure Internet browsers as it can be purchased and used by just about anyone that wants to try a pre-written malware to do something like this.

To give you a bit of an idea as to what Redline Stealer has done previously, on December 25th, 2021, Bob Diachenko reported having exfiltrated the logs for over six million records from an online malware database during the August and September 2021 time period (Diachenko). The data contained in the logs related to personal information, email accounts, and credit card information from the breached records.

What can Redline Stealer do?

Redline has a small but varied capability library at the moment. It can steal, as mentioned, email information and access, credit card information, FTP authentication, and even breach cryptocurrency wallets.

How does your system become infected?

First, a threat actor (the bad guy) purchases the malware application for between $100 and $200. Once they have learned how to use it, they usually distribute their setup via email or other direct processes. The file download is buried in a document or a link you click on in your email. Once your system has downloaded the malware installer, it begins searching for and exfiltrating your information, accessing anything from operating system information to user data (Tavares).

What should you do if your system is infected with Redline Stealer?

Head for the hills!!!

Not really, but if you have had trouble with malware before, you might consider it.

Once you have determined that your system is infected, take it offline! Disconnect it from your internal home or organizational network so that it might not infect other systems. If you are dealing with an organization, please ensure that this step is taken care of by the IT department/staff. 

For the remainder of the work required to clean up the IT part of this problem, we will describe below how to remove your sensitive information from Google Chrome and ensure that it doesn’t grab it down the road without your permission. We will also show you how to clear your information from the browser even if you don’t have an infected system.