Cybercriminals are distributing Excel XLL files that download and install the RedLine password and information-stealing malware via spamming website contact forms and discussion forums.
RedLine is a data-stealing Trojan that takes cookies, usernames and passwords, and credit card information from infected web browsers, as well as FTP credentials and files.
RedLine can also conduct commands, download and launch other malware, and take screenshots of the active Windows screen in addition to stealing data.
All of this information is gathered and returned to the attackers, who sell it on criminal marketplaces or utilise it for other destructive and fraudulent purposes.
Over the last two weeks, several phishing lures have been sent to BleepingComputer’s contact forms, including phoney advertising requests, holiday gift guides, and website promotions.
BleepingComputer determined this to be a broad effort targeting numerous websites that use public forums or article comment systems after investigating the lures.
The threat actors have constructed bogus websites to host the malicious Excel XLL files used to implant the malware in several phishing lures identified by BleepingComputer.
One campaign, for example, employed the following spam message and a spoof website that looked identical to the actual Plutio website.
A lure that targets web site owners with requests to advertise on their sites and asks them to study the terms of the offer is of particular interest. This results in the virus being installed via a malicious ‘terms.xll’ file.