Pirated Business Software Activator Spreads RedLine Stealer
Dec. 10, 2024, 2:03 p.m.
Tags
External References
Description
A malicious campaign targeting users of unlicensed corporate business automation software has been discovered. The attackers are distributing malicious activators on accounting forums that contain the RedLine stealer hidden in an unusual way. The activator library is obfuscated using .NET Reactor, with the malicious code compressed and encrypted in multiple layers. The campaign began in January 2024 and continues to threaten users of unlicensed software. The attackers aim at entrepreneurs using current versions of a business process automation platform, spreading their solution disguised as a new version of the HPDxLIB activator. The malicious version differs from the 'clean' one primarily by using .NET and having a new self-signed certificate.
Date
Published: Dec. 10, 2024, 1:42 p.m.
Created: Dec. 10, 2024, 1:42 p.m.
Modified: Dec. 10, 2024, 2:03 p.m.
Indicators
e5c9ba0a88e9a727d3eb4e400458d17a066722ec3bdc8b100abc68e182d954b4
fe99a90f23f1885f6cc6fc836e8fe33c806f39fefb6fce7668bbeb98a9fe6a77
ce916c1a133a83c0cc279ed087ace793f5ff841b3b732b2fb112d25b6629b4d9
cd9790a4e9b154ad3de4ea88253c9a3e1b6745cd26697ca3dd85fdcf742545b4
c4828839b51015ef658973f38cc19a5f0a3833ecb05fdee84d7a70635385736c
b546f826f5bdf9ed5d9dcedd050fd22db1ddffdf7fd53b1ad13de842fc8ad4cb
a2908165710b2658c7f9f104849f59e556fcc78c0a9c1308ceed3719d1038398
9ed2d91ab50407824bf7b627850c47aa7c66c7146e4c5ecd0a506a04714f3fa2
90543770652a03eb6db44e974d193a90720a7ba0907715bfd4b16c1386b38ee4
282bae29a4223f033d70634c5bb1310d90a334b80637fe055983a59455bfe447
254b9e817f853b574b6d2da93d8856d67ad92bc5065cdfb80f63e5eb163232fa
213.21.220.222
Attack Patterns
RedLine
T1553.002
T1547.001
T1056.001
T1555
T1113
T1204.002
T1055
T1140
T1027
T1059
Additional Informations
Russian Federation