Stealer Thugs Behind RedLine & Vidar Pivot to Ransomware

Two cybercriminal groups well-established in the business of spreading infostealers are diversifying their capabilities, abusing code-signing certificates to spread stealer malware, and then pivoting to ransomware through the same delivery channels.

The threat actors responsible for the prolific RedLine and Vidar stealer malwares are now distributing ransomware payloads through phishing campaigns that spread initial payloads signed with Extended Validation (EV) certifications, allowing them to slip past email security, researchers from TrendMicro revealed in a blog post on Sept. 13.

"[Their actions suggest] that the threat actors are streamlining operations by making their techniques multipurpose," Trend Micro researchers Hitomi Kimura, Ryan Soliven, Ricardo Valdez III, Nusrath Iqra, and Ryan Maglaque wrote in the post.

They investigated a specific case in which a victim initially received infostealer malware with EV code-signing certificates, but then later via the same route began receiving ransomware payloads. EV code-signing certificates are issued to organizations that are verified to have legal and physical existence in each country, requiring an issuance process with extended identity verification compared to regular code-signing certificates. They also entail private key generation where a hardware token is required.

In all, Trend Micro researchers discovered 30 EV code-signed samples used from July to August this year related to the specific victim.

"The infostealer, detected as TrojanSpy.Win32.VIDAR.SMA, was polymorphous, with each sample having a different hash," they wrote in the post.

The tactic is the first time a single threat actor was observed with this many samples, the researchers noted, adding that they are unsure as to how the threat actor accessed the private key. However, attackers have been known to abuse code-signing certificates by using stolen certificates to pass malware off as legitimate software, slipping by security protections.

Thwarting Certificate Abuse

Authorities, however, have taken notice of the security gaps in the technology. In fact, the Certificate Authority/Browser Forum (CABF) — a public key infrastructure (PKI) industry group — made hardware key generation mandatory for even regular code-signing certificates in an effort to address private key protection, according to Trend Micro. This makes it more difficult to steal private keys and certificates from computers since they cannot be copied as software data.

Trend Micro's investigation into the recent incident however revealed that the code signing of the infostealer was not invalidated because the revocation date was set on Aug. 3, the date that Trend Micro reported the abuse, rather than the sample's signing date. The malware sample was signed on July 17, earlier than the revocation date set, and thus continued to have a valid signature verification. 

The researchers contacted the certificate authority (CA) to explain how to mitigate such scenarios, advising that the certificate should be revoked using the issuance date as the revocation date instead so as to invalidate all code signing using that certificate. In response, the CA processed the certificate with March 21 as the revocation date, and all public observed sample signatures beyond March 21 were invalidated, according to Trend Micro.

An Infostealer/Ransomware Double-Attack Vector

The campaign investigated began with socially engineered spear-phishing emails that demanded that the user in question take action with a sense of urgency, with typical topics used relating to health and hotel accommodations.

In July, the victim began receiving infostealer payloads as a result of a series of campaigns. Then, on Aug. 9, the victim received a ransomware payload after being tricked into downloading and opening a fake TripAdvisor complaint email attachment that used a double file extension (.pdf.htm) to masquerade itself as a benign .pdf file. It concealed the actual .htm payload, the researchers wrote.

The payload executed a series of processes that eventually led to a ransomware payload detected as Ransom.Win64.CYCLOPS being deployed. Unlike the samples of the infostealer, however, the files used to drop the ransomware payload did not have EV certificates, though the payloads originated from the same threat actor via the same delivery method. 

"Payloads used LNK files that contain the command to execute the malicious file to help bypass detection," the researchers wrote. "Despite Google Drive's built-in protocols, which automatically evaluate files to guard systems against malware, malicious actors manage to transfer malicious files through the file storage service."

Stop Ransomware Before It Happens

Trend Micro advised that individuals and organizations who've been targeted by infostealing campaigns should now be cautious of potential ransomware attacks in the future, as findings suggest that "threat actors are becoming more efficient in maximizing their techniques for different purposes and cybercrimes," the researchers wrote.

Further, the findings underline the importance of configuring and updating attack surface protections that remove malicious items before they even reach users. Early detection and mitigation can even prevent threat actors from harvesting enough information that that they can leverage for a ransomware attack later on, they noted. 

Finally, as always, users also should avoid or refrain from downloading files, programs, and software from unverified sources and websites.