Redline Stealer being Distributed via Fake Express VPN Sites

Threat Actors using Shortened URLs to infect Users

Deceptive phishing is the preferred way for cybercriminals to distribute malware since luring the victim into clicking a link in a likely phishing SMS or Email is easier. The Threat Actor(TA) usually uses brand impersonation in phishing campaigns to trick the users into believing that they are reputed and legitimate. Cyble Research & Intelligence Labs (CRIL) has continuously monitored phishing campaigns where the Threat Actor (TA) impersonates any genuine entity to distribute malware.

Recently, CRIL identified 6 phishing sites impersonating Express VPN that was distributing Windows malware. The TA could use phishing emails, online ads, SEO attacks, and various other means to propagate links over the internet.

  • express-vpns[.]biz
  • express-vpns[.]cloud
  • express-vpns[.]fun
  • express-vpns[.]online
  • express-vpns[.]pro
  • express-vpns[.]xyz

The phishing site looks very similar to the genuine Express VPN website. The phishing site is well-designed, and the TAs behind this phishing campaign has tried to copy the UI of the genuine site to trick the victim into downloading malware.

Figure 1 – Phishing site impersonating Express VPN

When a user clicks on the “Claim Exclusive Deal” or “Get ExpressVPN” buttons, the phishing site connects to the short Cuttly URL hxxps://cutt[.]ly/h1c4zjK which redirects to the Discord app URL hxxps://cdn[.]discordapp[.]com/attachments/879028824979931206/1046773157253632081/Setup[.]zip that downloads the malicious ZIP file

The TA has used the short Cuttly URL to mask the actual discord URL, which further reduces the URL visibility to users, increasing the probability of successful infection. Additionally, these phishing sites have a valid SSL certificate, hence the browsers are not blocking sites which also increases the chance of infecting more users.

The phishing site offers a “3 extra months free” deal to the victim while the genuine site currently offers Black Friday with a “12 months + 3 extra months FREE” deal as shown in the figure below.

Figure 2 – Phishing site (left) and genuine site (right) offers

The phishing site is luring users by offering a similar deal as shown in the genuine site. Still, when the user clicks on the “Get ExpressVPN” button, the phishing site will directly download the malicious file, while the genuine site will redirect the user to the order page. The genuine site does not download any zip file on user click. Users should be cautious while visiting any ExpressVPN look-alike domain to avoid downloading malware.

We analyzed the downloaded file and identified that the malicious file was a Redline Stealer. The detailed behavior of the stealer is explained below.

Payload Analysis

The file contains a file setup.exe with a size of 640MB, and the binary is padded with zeroes at the end, which increases its size drastically. Threat Actors use this technique to bypass antivirus checks because it is difficult for antivirus products to handle large files. The figure below shows the padded part of the binary. 

Figure 3 – Padded Binary

Upon execution, setup.exeinjects the stealer payload into jsc.exe- a JavaScript compiler program signed by Microsoft. The figure below shows the process injection.

Figure 4 – Process Injection

After this, the stealer payload fetches the configuration settings from the Command and Control (C&C) server using the net.tcp URL, “net[.]tcp[:]//[:]34067/”. These settings specify the actions for collecting data from the victim’s system. The figure below shows the configuration settings fetched by the stealer.

Figure 5 – Fetches Configuration Settings from C&C

After fetching the configuration details, the Redline Stealer steals the data from various applications installed on the victim’s system. It can steal login credentials, autofill data, cookies, and credit card details from all Gecko-based and Chromium-based web browsers. Other applications targeted by Redline stealer include cold crypto wallets, VPN, discord, and steam. The detailed analysis of Redline Stealer can be found here.


Redline Stealer is one of the most prominent InfoStealer. TAs are actively launching multiple campaigns to deliver such malware strains. Recently, we have witnessed an increase in the number of samples padded with junk data to increase their size for evading detection. This technique is also seen implemented in stealers such as Vidar and RecordBreaker.

Our Recommendations 

We have listed some of the essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the suggestions given below:  

  • Avoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as YouTube, torrent sites, etc.,  typically contains such malware.  
  • Use strong passwords and enforce multi-factor authentication wherever possible.  
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices.  
  • Use a reputed antivirus and internet security software package on your connected devices, including PC, laptop, and mobile.  
  • Refrain from opening untrusted links and email attachments without first verifying their authenticity.  
  • Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.  
  • Block URLs that could be used to spread the malware, e.g., Torrent/Warez.  
  • Monitor the beacon on the network level to block data exfiltration by malware or TAs.

MITRE ATT&CK® Techniques

Tactic Technique ID Technique Name 
Initial Access T1566 Phishing 
Execution  T1204 User Execution 
Credential Access T1555 
Credentials from Password Stores 
Steal Web Session Cookie 
Unsecured Credentials 
Collection T1113 Screen Capture 
Discovery T1087 
Account Discovery 
Software Discovery 
Process Discovery 
System Time Discovery 
System Service Discovery 
System Location Discovery 
Peripheral Device Discovery 
Command and Control T1571 
Non-Standard Port 
Non-Application Layer Protocol 
Exfiltration T1041 Exfiltration Over C2 Channel   

Indicators of Compromise (IoCs):  

Indicators Indicator type Description 
net[.]tcp[:]//[:]34067URL C2 URL 
b0491e5a077eef6df868e66b6e5d4a594d4a01da 0e3b024a0f4013541cc0771b02878182f0b599945b2ea60342f5c4c24d27e2e0
URLMalicious URL

Comments are closed.

Scroll to Top