RedLine Stealer C2 Uses 7 Fraudulent Domains in Maritime Phishing Attacks
Key Takeaways A single RedLine Stealer command and control (C2) server led researchers to uncover a sophisticated phishing and business email compromise (BEC) operation targeting the maritime...
Key Takeaways
- A single RedLine Stealer command and control (C2) server led researchers to uncover a sophisticated phishing and business email compromise (BEC) operation targeting the maritime shipping industry.
- The attackers utilized at least seven fraudulent domains, meticulously crafted to impersonate legitimate maritime suppliers, facilitating spear phishing attempts.
- The campaign deployed both RedLine Stealer and Formbook malware, designed to exfiltrate sensitive data such as credentials, browser cookies, and cryptocurrency wallet information.
- Victims included a South Korean marine manufacturer, highlighting the targeted nature and significant financial risk posed to the maritime supply chain.
Unmasking a Maritime Phishing Ring
A routine investigation into RedLine Stealer activity unexpectedly exposed a wide-ranging phishing operation specifically targeting the global maritime shipping sector. What began as an analysis of a single command and control (C2) server quickly expanded, revealing a network of seven deceptive domains designed to ensnare companies within the maritime supply chain.
Table Of Content
RedLine Stealer, first observed around 2020, has become a prevalent information-stealing malware. It typically propagates through compromised software, malicious advertisements, and phishing emails, silently extracting sensitive data like passwords, browser cookies, and cryptocurrency wallet details from infected systems. Its accessibility and low cost on underground forums have made it a favored tool among various criminal groups.
From C2 to Coordinated Campaign
Analysts at VMRay said in a report shared with Cyber Security News (CSN) that a specific RedLine C2 address, identified through their UniqueSignal threat feed, served as the initial thread in a much larger investigation. This server, located at 194.156.79.122 and operating on the uncommon port 55615, initially appeared to be a typical, ephemeral RedLine backend. However, it quickly became the linchpin for uncovering a sophisticated spear phishing and business email compromise (BEC) campaign.
Leveraging fingerprinting techniques with tools such as FOFA and VirusTotal, researchers identified additional C2 servers that shared distinct characteristics with the original infrastructure. These findings shifted the focus from generic infostealer activity to a highly targeted spear phishing campaign aimed at a South Korean maritime manufacturer.
The investigation ultimately linked malware distribution, fabricated business emails, and a cluster of recently registered domains meticulously designed to mimic legitimate maritime suppliers. This intricate combination of technical infrastructure and social engineering made the campaign particularly challenging to detect using conventional indicators of compromise alone.
The Strategy: Fraudulent Domains and Impersonation
A critical discovery was the identification of seven fraudulent domains. These domains were all hosted on the same infrastructure provider and exhibited consistent naming patterns and TLS certificate details. Examples include acasiallc.shop, amdocsllc.shop, and <a href="https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/attachments/11146061/e59c4ad6-abf2-4869-8fb2-6060757d4de0/RedLine-C2-Pivot-Reveals-Seven-Fraudulent-Domains-Used-in-Maritime-Phishing-Attacks.pdf?AWSAccessKeyId=ASIA2F3EMEYEVXMPRSIT&Signature=3B%2BmgRojW7P%2FEpDf1HFTTXGHJK8%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEIr%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQCzd3GwrpaEYBEqDsM1NPivU9EOgPuoVr66J%2Ftr1CTadwIgFR3IElNqGnj%2FDQwNIUKoxQdLZhhXEEPhwP8OQEENTw0q8wQIUxABGgw2OTk3NTMzMDk3MDUiDPbtM6AEnuC5Nmc%2FTyrQBMuvPdB4D4kCqbh5v1zQOaYEVjEz2uFz%2FD4A8t1yN8uuCzUsJijUmpAhLw6TOjGoAqXQkh1j3RpTCXsN86hJpaWbrbhkhQpMS85xslYpVLd6yZveA6kzbp5JB1Lqy3ZK2s2t%2BKhQSfE2b06fxq5v3ivYjYH58W8sdmuxno1upyliX5G46imSSbuShrYKpP6gdWnl1U2j3Qa3iUFaql9uXBDWT5cOZSmyQ%2FG1vYHxuDj9GoKVQKysGG3bSeFdmcgtrUOGUEI8M4rL1sDjf4t7j6BCGAPYrvD0V%2F%2FGEyzodP0IsdE%2FeIBuCF1%2FvZTC%2B6RbMwe%2FSpZ7IcYVAjwYM6C0%2B3av5zlpcjAIgbG%2FopYmhiF5tkd10C56h4MB3iWl0IZHm6h5Jiok7%2ByYVAW453XlnDRiLubD2wsdGWSF99kPDgbAYf6kiAzQqJmfLZB%2F0bGuJ4rxgmWaYMGDFkAadRidG7nFbPmw93pLQcTB0Hf6Aq%2BasM81z1Y3b6SBFQiBQYJh3ZzeoxcNlVlDY7GbsDTE86Z71pEIdXqb9ZFjC7rSuApYvV2YRgwRIW4XPzV2AZLM1gJ6ua%2BryK9KJ%2FXmni0zG87DqYSSAYc9u
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.