Pirated corporate software infects Russian businesses with info-stealing malware

Avatar

Russian businesses that use unlicensed corporate software have fallen victim to an ongoing information-stealing campaign, researchers have found.

The cybercriminals behind the campaign, which began in January of this year, have been distributing the well-known info-stealer malware RedLine on local online forums frequented by business owners and accountants. They disguise it as a tool designed to bypass licensing requirements for business automation software.

To evade detection by security vendors, the attackers instruct victims to disable antivirus services on their devices, claiming that the pirated software would not work otherwise, according to a new report by Russian cybersecurity firm Kaspersky.

RedLine is sold as a service for criminals on underground forums. It can exfiltrate sensitive information from browsers and messengers or detailed data about an infected system and its users.

Earlier in October, U.S. authorities identified and charged a Russian national, Maxim Rudometov, with developing and administering RedLine. In November, international law enforcement took down the infrastructure behind the malware, but it appears that the criminals have found another way to use it.

Kaspersky hasn’t attributed this campaign to a particular threat actor and didn’t say if the campaign is financially or politically motivated.

“The attackers behind this campaign are clearly interested in gaining access to organizations of Russian-speaking entrepreneurs who use software to automate business processes,” researchers said.

Abusing pirated software to infect users is a common tactic among cybercriminals, but Russian users are particularly vulnerable to such attacks. Since Moscow’s invasion of Ukraine, many Western companies, including tech giants like Microsoft, have suspended their services in Russia and revoked licensing for software already used by Russian businesses.

Kaspersky admitted that disguising malware as a tool to help victims bypass license checks is not uncommon. “However, the fact that they are targeting businesses rather than individual users seems quite unusual,” researchers said.

CybercrimeNewsNews BriefsIndustryMalware
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.

 

Total
0
Shares
Previous Post

Romania annuls presidential election over alleged Russian interference

Next Post

Learn How Experts Secure Privileged Accounts—Proven PAS Strategies Webinar

Related Posts

Experts Uncover 70,000 Hijacked Domains in Widespread ‘Sitting Ducks’ Attack Scheme

Multiple threat actors have been found taking advantage of an attack technique called Sitting Ducks to hijack legitimate domains for using them in phishing attacks and investment fraud schemes for years. The findings come from Infoblox, which said it identified nearly 800,000 vulnerable registered domains over the past three months, of which approximately 9% (70,000) have been subsequently
Avatar
Read More

5 Ways Behavioral Analytics is Revolutionizing Incident Response

Behavioral analytics, long associated with threat detection (i.e. UEBA or UBA), is experiencing a renaissance. Once primarily used to identify suspicious activity, it’s now being reimagined as a powerful post-detection technology that enhances incident response processes. By leveraging behavioral insights during alert triage and investigation, SOCs can transform their workflows to become more
Avatar
Read More