Attackers have been caught distributing a malicious .NET-based HPDxLIB activator under the guise of a new version, complete with a self-signed certificate, targeting entrepreneurs who use automation in their businesses with the intention of compromising their systems.
On various forums, these nefarious individuals are sharing these malicious activators, specifically targeting business owners and accountants, presenting them as legitimate tools to bypass licensing restrictions and even boasting about their update functionalities. However, hidden within these seemingly harmless tools lies a dangerous payload designed to exploit unsuspecting users.
Security software has flagged the HPDxLIB assembly, which is a component often found in pirated software, as potentially containing the RedLine stealer. Despite warnings from security experts, users are still being instructed to disable their security measures in order to run this software, thereby increasing their vulnerability to malware infections.
The attackers are utilizing a deceptive tactic by distributing a malicious dynamic library disguised as a legitimate one, tricking users into replacing the original file with the malicious one. When users launch the patched software, the malicious library is loaded by the legitimate process, triggering the execution of the RedLine stealer, which takes advantage of user trust rather than exploiting software vulnerabilities.
Within the malicious techsys.dll file lies a heavily obfuscated resource called loader.hpdx.dll (or its compressed variant, loader.hz), which contains a large suspicious data block, hinting at malicious activities. This encrypted payload likely contains the RedLine stealer and follows a specific structure, such as an EncryptedContainer, with various fields for initialization.
The data within the file is encrypted using XOR encryption with a fixed key, then Base85-encoded, and further encrypted with AES-256 in CBC mode, requiring additional decryption keys to unravel. The obfuscated library conceals the cryptographic parameters using XOR encryption, with encryption keys and initialization vectors only revealed upon decryption.
Reports from Secure List indicate that the library decodes a Base85 string, decrypts it with AES-256-CBC using SHA-512-derived keys and IVs, decompresses the resulting data, and finally loads the unpacked RedLine stealer using Assembly.Load().
The RedLine malware-as-a-service platform operates through a shared command-and-control server, allowing different threat actors to distribute and profit from the stealer, possibly through subscription-based access. Cybercriminals are especially targeting Russian-speaking entrepreneurs with the RedLine stealer to circumvent license checks and obtain unauthorized access to critical business information.
Organizations using pirated software and activators put themselves at risk of data theft, cyberattacks, and potential reputational damage. It is crucial for businesses to prioritize licensed software to protect sensitive data and secure their operations from malicious threats.
In conclusion, the distribution of malicious activators disguised as legitimate tools poses a significant threat to businesses and their cybersecurity. It is imperative for organizations to remain vigilant, prioritize licensed software, and implement robust security measures to safeguard against such malicious activities.