A new version of the ScrubCrypt obfuscation tool is being used to target organizations with the RedLine Stealer malware, fraud sensor network Human Security has warned.
Human’s Satori Threat Intelligence Team said it has uncovered the new build of ScrubCrypt for sale in dark web marketplaces, and observed it being used to launch account takeover and fraud attacks on its customers via RedLine Stealer.
How the New ScrubCrypt Build Works
ScrubCrypt is a tool used by threat actors to avoid detection by converting executable files into batch files. In March 2023, it was found to be used by the ‘8220 Gang’ threat actor to target an exploitable Oracle Weblogic Server.
The researchers said the website selling and hosting this new ScrubCrypt build is registered and hosted in Russia to stay out of the reach of law enforcement agencies in regions like the US and EU.
However, the command-and-control (C2) server sending instructions and receiving the stolen credentials from the associated RedLine Stealer sample is hosted by an American provider of data center proxies and virtual servers. This approach is likely designed to help threat actors avoid certain firewall protections by having the malware phone home to a server located within the country of the target.
No tags.
