A new campaign exploits the ExpressVPN brand to trick people into downloading fake installers containing Redline, a widely distributed information stealer.
Victims infect themselves with the malware by launching it, thinking they’re about to install the popular VPN tool and end up losing sensitive data to cybercriminals.
The campaign was discovered by Cyble Research & Intelligence Labs researchers, who shared their findings exclusively with RestorePrivacy.
The ongoing brand impersonation campaign uses typosquatting domains made to appear close to ExpressVPN’s actual domain, “expressvpn.com.”
Typosquatting is a technique involving the registration of domain names that are similar to those of the impersonated brands, usually featuring additional characters or letter swaps.
Six examples uncovered by Cyble while investigating this campaign are:
Victims end up on these sites via phishing emails, malvertising, SEO poisoning, instant messages, or posts on social media and forums.
The appearance of the sites is very close to the real ExpressVPN site, and they even include the three-month free offer the software promoted as part of its Black Friday deal.
The threat actors made sure to use valid SSL certificates to make their scam sites appear trustworthy to humans and security tools.
Clicking on the embedded button to claim the exclusive deal initiates a ZIP download from a Discord app URL.
The file, “Setup.zip,” contains an artificially oversized executable (setup.exe) to evade analysis and AV scans.
Running the executable injects Redline onto a digitally signed compiler program so that it runs directly from memory as a trusted process, preventing security tools from raising any alarms.
Next, the stealer fetches its configuration from the command and control server, which contains guidelines on what data to target on the infected computer.
Redline can steal account credentials, autofill data, cookies, and credit cards stored on Chrome-based browsers and Firefox. It can also target cryptocurrency wallet plugins, cold wallet accounts, VPNs, Discord, Steam, and more.
Redline is a MaaS (malware as a service) information stealer sold to cybercriminals on the dark web for a monthly subscription fee and is currently one of the most widely deployed malware of this kind.
To minimize the chances of dealing with a Redline infection, ensure that you’re always downloading software from official vendor sites, and avoid following links sent via email, SMS, IMs, etc.
Additionally, check downloaded installers on your AV tool before launching them, and validate that the file size looks right for the type of the application.