An information stealer named RedEnergy targets multiple industry sectors through a fake update campaign. This malicious software can extract information from different web browsers, allowing it to steal sensitive data. Furthermore, it incorporates various modules to facilitate ransomware activities.
Learn more about RedEnergy Stealer
| Name | RedEnergy Stealer |
| Detection | Trojan:Win32/Casdet!rfn |
| Threat Type | Trojan Stealer, Ransomware |
| Encrypted Files Extension | .FACKOFF! |
| Ransom Demanding Message | read_it.txt |
| Contacts | [email protected] |
| Ransom Amount | 0.005 BTC |
| Damage | Extract sensitive data from web browsers, encrypt files, demand ransom for their release, and manipulate the appearance of file system folders. It infiltrates systems through deceptive techniques, such as masquerading as legitimate browser updates and employing a deceptive redirection technique. Its impact can result in the theft of personal information, financial data, login credentials, and other sensitive data, causing potential harm to individuals and organizations |
When triggered, the malicious RedEnergy executable disguises itself as a genuine browser update, effectively hiding its true nature. It cleverly presents itself as a legitimate update from well-known browsers like Google Chrome, Microsoft Edge, Firefox, and Opera, with the aim of deceiving unsuspecting users.
In addition, RedEnergy incorporates a persistence mechanism that allows it to remain on an infected system even after restarting or shutting down. This mechanism ensures that the malware remains active and can continue its malicious activities without interruption.
As part of its operation, RedEnergy integrates ransomware modules into its payload. It encrypts the victim’s data and appends the “.FACKOFF!” extension to the names of all encrypted files. The victim is then presented with a ransom message (“read_it.txt“) demanding payment to regain access to the files. The malware also changes the desktop wallpaper.
Text in the ransom note
YOUR FILES ENCRYPTED VIRUS !!! ANY ATTEMPT THEIR DECRYPT BY, IS ZERO WE HAVE A DECKER, YOU CAN BUY IT FOR ---100$--- At Bitcoin WRITE ON MAIL([email protected]), WE WILL ISSUE YOU DECODER (KEY DECRYPTION) BUY OR EXCHANGE Bitcoin CAN HERE OR WHERE THE YET: Coinmama - hxxps://www.coinmama.com, Bitpanda - hxxps://www.bitpanda.com REQUISITES Payment informationAmount: 0.005 BTC Bitcoin Address: bc1qkvykfukshqywqe40pn9kqv5xc8xr5dwl46k99k MAIL FOR COMMUNICATION : [email protected]
The ransomware modules also delete data from the shadow drive, effectively eliminating any potential backups.
Furthermore, the malicious executable modifies the desktop.ini file, which holds important configuration settings for file system folders. Through this modification, RedEnergy gains the ability to manipulate the appearance of file system folders, potentially enhancing its ability to hide its presence and actions on the compromised system.
Finally, RedEnergy is capable of stealing data from various web browsers, including personal information, login credentials, financial data, online activities, session-related information, and other data.
What next?
In conclusion, RedEnergy is a sophisticated malware that operates as a stealer and ransomware. It uses deceptive techniques, such as masquerading as legitimate browser updates and utilizing persistence mechanisms to maintain its presence on infected systems.
With its ability to steal sensitive information, encrypt files, and demand ransom for their release, RedEnergy poses a significant risk to individuals and organizations. This underscores the importance of robust cybersecurity measures and vigilant online behavior.
How did RedEnergy Stealer infiltrate my computer?
RedEnergy employs a deceptive redirection technique to infect computers, targeting industries with notable LinkedIn pages. Users who attempt to access a targeted company’s website through their LinkedIn profile are unknowingly redirected to a malicious site.
Once there, they are prompted to install what appears to be a legitimate browser update. However, they inadvertently download the RedEnergy executable instead of a genuine update.
To further deceive victims, the campaign uses a disguised download domain that poses as a ChatGPT site, enticing users to download a fake offline version of ChatGPT. This fake version also contains a malicious executable used to distribute RedEnergy.
Multiple related campaigns have been discovered, all employing the FAKEUPDATES tactic and reusing infrastructure and tactics to maximize their impact and profits. The cybercriminals responsible for these campaigns target organizations across various industries, leveraging their established reputations and online presence to effectively deceive unsuspecting users.
How to avoid installing malware?
To protect your computer, it is crucial to regularly update your operating system and software. When dealing with email attachments or encountering suspicious links, especially from unfamiliar or untrusted sources, exercise caution and remain vigilant.
Additionally, it is recommended to use reputable antivirus or anti-malware software to provide an additional layer of protection. Conduct regular system scans to identify and address potential threats. Moreover, avoid downloading files from untrusted websites and be cautious of pop-up advertisements or deceptive download buttons that may lead to malicious content.
Leave a Comment