A new version of the ScrubCrypt obfuscation tool has been discovered for sale in underground communities. This tool is used by threat actors to bypass antivirus software and launch attacks [1]. In conjunction with the RedLine Stealer malware [3], this new build of ScrubCrypt has been observed targeting organizations.


The attack involves a bat file that is downloaded to the victim’s device [3]. This file carries a base64-encoded payload [3], which has been identified as RedLine Stealer by researchers. RedLine Stealer is a well-known malware that aims to compromise accounts by stealing cookies [2], browser login data [2] [3], and locally-stored login information [2] [3]. With this stolen information, threat actors can conduct account takeover and account fraud attacks by logging in with the stolen credentials or reusing the stolen cookies [2]. The new build of ScrubCrypt is hosted in Russia [3], while the command-and-control server for RedLine Stealer is hosted by an American provider [3]. However, HUMAN customers are protected from account takeover and fraud attacks involving stealer malware [1], including this version of ScrubCrypt [1].


To mitigate the risks associated with this type of attack, it is recommended to deploy protections against cookie-stealing attacks [3]. Additionally, using tools to flag users with leaked or stolen credentials and implementing two-factor authentication can enhance security measures. It is crucial to stay vigilant and proactive in defending against evolving threats like this new version of ScrubCrypt and its collaboration with RedLine Stealer.


[1] https://www.humansecurity.com/learn/blog/human-satori-threat-intelligence-alert-account-takeover-attacks-use-scrubcrypt-to-deploy-redline-stealer-malware
[2] https://ciso2ciso.com/redline-stealer-malware-deployed-via-scrubcrypt-evasion-tool-source-www-infosecurity-magazine-com/
[3] https://www.infosecurity-magazine.com/news/redline-stealer-malware-scrubcrypt/