Russian businesses that use unlicensed corporate software have fallen victim to an ongoing information-stealing campaign, researchers have found.
The cybercriminals behind the campaign, which began in January of this year, have been distributing the well-known info-stealer malware RedLine on local online forums frequented by business owners and accountants. They disguise it as a tool designed to bypass licensing requirements for business automation software.
To evade detection by security vendors, the attackers instruct victims to disable antivirus services on their devices, claiming that the pirated software would not work otherwise, according to a new report by Russian cybersecurity firm Kaspersky.
RedLine is sold as a service for criminals on underground forums. It can exfiltrate sensitive information from browsers and messengers or detailed data about an infected system and its users.
Earlier in October, U.S. authorities identified and charged a Russian national, Maxim Rudometov, with developing and administering RedLine. In November, international law enforcement took down the infrastructure behind the malware, but it appears that the criminals have found another way to use it.
Kaspersky hasn’t attributed this campaign to a particular threat actor and didn’t say if the campaign is financially or politically motivated.
“The attackers behind this campaign are clearly interested in gaining access to organizations of Russian-speaking entrepreneurs who use software to automate business processes,” researchers said.
Abusing pirated software to infect users is a common tactic among cybercriminals, but Russian users are particularly vulnerable to such attacks. Since Moscow’s invasion of Ukraine, many Western companies, including tech giants like Microsoft, have suspended their services in Russia and revoked licensing for software already used by Russian businesses.
Kaspersky admitted that disguising malware as a tool to help victims bypass license checks is not uncommon. “However, the fact that they are targeting businesses rather than individual users seems quite unusual,” researchers said.
Recorded Future
Intelligence Cloud.
No previous article
No new articles
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.