RIG exploit kit
Researchers at 비트디펜더 have discovered a new campaign of cybercriminals using the RIG exploit kit to distribute the famous RedLine malware, which aims to steal victims’ data and transfer it to operators.
Interestingly, exploit kits like RIG, which used to be quite popular, are now increasingly fading into the shadows. And all thanks to improved browser protection mechanisms and the rejection of “leaky” technologies like Flash Player and Microsoft Silverlight.
하지만, attackers using exploit kits can still break through individual users who are used to not updating their browser. 예를 들어, in the campaign described by Bitdefender, RIG delivers an info-stealer by exploiting a bug in Internet Explorer.
We are talking about a vulnerability under the identifier CVE-2021-26411, which leads to memory corruption when viewing a specially crafted website. If a user is lured to such a resource, the RedLine malware will be installed on their system.
SEW 바이러스 (.파일 재봉) 랜섬웨어
The Qepi virus belongs to the STOP/Djvu ransomware group and targets Windows computers. 이 컴퓨터의 파일을 암호화하여 작동합니다., 이를 사용하여 파일로 변경 “.Qepi” 확대,…
QEHU 바이러스 (.qehu 파일) 랜섬웨어
The Qehu Virus: Targeting Windows Computers with STOP/Djvu Ransomware The Qehu virus, part of the STOP/Djvu ransomware group, specifically targets Windows computers. Its operation involves encrypting files, transforming them with…
Having dug into the system, RedLine collects and sends confidential information to operators: keys from crypto wallets, bank card data, logins, and passwords saved in browsers.
According to Bitdefender researchers, the exploit first dumps a JavaScript file into the system (placed in a temporary directory), downloading and running an encrypted RC4 payload.
Decompressing RedLine is a six-step process consisting of decompression, key extraction, assembly, etc. 결과적으로, files in the DLL format can successfully avoid detection by antivirus tools. The malware connects to the command and control server at 185.215.113.121 on port 15386. Data collected from VPN and FTP clients, Discord, Telegram, Steam, and crypto-wallets are also sent there.