Press Releases

Ernie Ferraresso Appointed to FL Cybersecurity Advisory Council

Cyber Florida Director Ernie Ferraresso

December 9, 2024—Tampa, Fla—Cyber Florida at USF is proud to announce Governor Ron DeSantis’ appointment of Director Ernie Ferraresso to the Florida Cybersecurity Advisory Council. This appointment highlights the state’s unwavering commitment to enhancing cyber defense and safeguarding critical infrastructure.

Ferraresso, a distinguished veteran of the United States Marine Corps, brings a wealth of experience and leadership to the council. As Cyber Florida’s director, he spearheads efforts to advance the state’s cybersecurity initiatives through education, outreach, research, and workforce development. Ferraresso also serves as a Senior Fellow at Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security, contributing to national strategies for securing vital systems against cyber threats.

“I am honored to join the Florida Cybersecurity Advisory Council and support the state’s mission to strengthen its defenses against evolving cyber threats,” said Ferraresso. “Cyber Florida’s commitment to collaboration and innovation aligns seamlessly with the council’s goals, and I look forward to contributing to a safer and more secure Florida.”

Ferraresso earned his bachelor’s degree from Barry University and has dedicated his career to addressing the challenges of cybersecurity and critical infrastructure protection. His expertise will help guide the council in shaping policies and strategies to bolster Florida’s cyber resilience.

The Florida Cybersecurity Advisory Council plays a pivotal role in providing guidance to protect the state’s critical systems and infrastructure, ensuring Florida remains at the forefront of cybersecurity preparedness.

Ferraresso is available for interviews through December 18, 2024. Please make arrangements through Cyber Outreach Manager Jennifer Kleman at jennifer437@cyberflorida.org. For more information about Cyber Florida and its mission to advance cybersecurity in the state, visit https://cyberflorida.org/.

ABOUT CYBER FLORIDA AT USF

The Florida Center for Cybersecurity at the University of South Florida, commonly referred to as Cyber Florida at USF, was established by the Florida Legislature in 2014. Its mission is to position Florida as a national leader in cybersecurity through comprehensive education, cutting-edge research, and extensive outreach. Cyber Florida leads various initiatives to inspire and educate both current and future cybersecurity professionals, advance applied research, and enhance cybersecurity awareness and safety of individuals and organizations.

Ernie Ferraresso Appointed to FL Cybersecurity Advisory Council2024-12-10T09:28:11-05:00

phaseZERO: Innovation Incubator Announced

phaseZERO

Cyber Florida at USF Announces phaseZERO: Innovation Incubator to Boost Cybersecurity Innovation in Florida

December 2, 2024—Tampa, Fla—Cyber Florida at USF is proud to announce the launch of phaseZERO: Innovation Incubator, an innovative seed fund initiative designed to support Florida-based researchers and emerging entrepreneurs in transforming cutting-edge cybersecurity ideas into thriving businesses. With a focus on commercializing cybersecurity innovations, strengthening critical infrastructure, and creating new opportunities, phaseZERO aims to establish Florida as a national leader in cybersecurity entrepreneurship.

Modeled after the Small Business Administration’s SBIR/STTR Phase I programs, phaseZERO addresses critical gaps in seed funding and provides expert mentorship, complementing existing statewide efforts like the Florida High-Tech Corridor, I-Corps, and local incubators and accelerators.

“This program is about removing barriers for innovators,” said Dr. Manish Agrawal, Cyber Florida at USF academic director at Cyber Florida and USF professor. “By providing funding and mentorship without taking equity, we’re enabling Florida’s entrepreneurs to focus on what matters most: building solutions that strengthen our cybersecurity resilience.”

Program Highlights

For this round of funding, phaseZERO will award up to $60,000 each to up to four emerging Florida companies (not to exceed $240,000 total) selected through a rigorous, three-stage evaluation process:

  • Stage 1: Applicants submit a completed application and a brief business plan for technical and business evaluation by a Cyber Florida Entrepreneur-in-Residence (EIR).
  • Stage 2: Selected applicants pitch their plans to an evaluation panel during a virtual event.
  • Stage 3: The evaluation panel selects awardees who receive funding in installments while working with an EIR to establish their business, secure further funding, and prepare for operations.

Funded companies gain access to Cyber Florida’s expansive network of state innovation ecosystem partners, including universities, accelerators, and industry leaders.

Timeline

  • Application Launch: December 2, 2024
  • Application Deadline: January 3, 2025
  • Pitch Event Invitations: January 10, 2025
  • Pitch Event: January 24, 2025

Through phaseZERO, Cyber Florida continues its mission to foster research partnerships, attract cybersecurity companies to Florida, and enable the creation of new ventures.

For more information about phaseZERO, application details, and how to get involved, visit cyberflorida.org/phasezero.

ABOUT CYBER FLORIDA AT USF
The Florida Center for Cybersecurity at the University of South Florida, commonly referred to as Cyber Florida at USF, was established by the Florida Legislature in 2014. Its mission is to position Florida as a national leader in cybersecurity through comprehensive education, cutting-edge research, and extensive outreach. Cyber Florida leads various initiatives to inspire and educate both current and future cybersecurity professionals, advance applied research, and enhance cybersecurity awareness and safety of individuals and organizations.

phaseZERO: Innovation Incubator Announced2024-12-02T13:37:28-05:00

FloridaMakes Partnership Announced

FloridaMakes logo

Cyber Florida at USF and FloridaMakes Forge Partnership to Bolster Cybersecurity and Economic Resilience in Florida

August 30, 2024—Tampa, Fla—In a strategic move to fortify local economies across the Sunshine State, Cyber Florida at USF and FloridaMakes proudly announce a collaborative partnership aimed at amplifying economic growth and resilience while bolstering cybersecurity measures and awareness. The pervasive and costly cybersecurity threats facing businesses in Florida pose a significant challenge, particularly for small businesses with limited resources to recover from cyber incidents such as data breaches, ransomware attacks and business email compromise. Moreover, critical infrastructure businesses, including critical manufacturing and defense industrial base (DIB) companies, have increasingly become targets for threat actors due to their substantial impact on state and national security.

“This partnership with FloridaMakes is a significant step forward in our mission to help protect and empower Florida’s critical industries,” said Ernie Ferraresso, Director of Cyber Florida at USF. “By combining our cybersecurity expertise with FloridaMakes’ deep industry knowledge, we are not only enhancing the resilience of our manufacturing and defense sectors but also ensuring that businesses across the state can thrive in a more secure digital environment.”

Cyber Florida at USF, dedicated to advancing cybersecurity training and awareness initiatives across the state, offers an array of resources ranging from research and development to community grant programs and training opportunities. Central to its mission is the Critical Infrastructure Risk Assessment (CIRA) platform, a vital tool developed in partnership with the Department of Energy’s Idaho National Lab (INL) and based on the Department of Homeland Security’s Cybersecurity Evaluation Tool (CSET) and the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).

FloridaMakes has experience working with the state’s manufacturing and defense industries to provide awareness training on information security vulnerabilities and best practices. FloridaMakes also has substantial experience facilitating assessments of information security posture, policies and preparedness of Florida manufacturers and defense contractors in relation to federal and customer requirements.

“This partnership exemplifies the synergy between industry and government in addressing cybersecurity challenges head-on,” said Kevin Carr, President and CEO of FloridaMakes. “By joining forces, we are not only bolstering the security of Florida’s manufacturing and critical infrastructure sectors but also positioning the state as a national leader in secure manufacturing and critical infrastructure protection.”

Cyber Florida at USF, in collaboration with INL, integrated the new NIST CSF 2.0 update earlier this year into the CIRA platform. This integration represents a significant update to the cybersecurity assessment capabilities available to enterprises and institutions across the state and will be made available to manufacturing and DIB companies statewide through the joint efforts of Cyber Florida and FloridaMakes.

For additional information or to arrange an interview, please contact Cyber Outreach Manager Jennifer Kleman, APR, CPRC at jennifer437@cyberflorida.org.

ABOUT CYBER FLORIDA AT USF
The Florida Center for Cybersecurity at the University of South Florida, commonly referred to as Cyber Florida at USF, was established by the Florida Legislature in 2014. Its mission is to position Florida as a national leader in cybersecurity through comprehensive education, cutting-edge research, and extensive outreach. Cyber Florida leads various initiatives to inspire and educate both current and future cybersecurity professionals, advance applied research, and enhance cybersecurity awareness and safety of individuals and organizations. Visit cyberflorida.org for more information and valuable resources.

ABOUT FLORIDAMAKES
FloridaMakes is a statewide, industry-led, public-private partnership operated by an alliance of Florida’s regional manufacturer associations and organizations that serve manufacturers. FloridaMakes’ sole mission is strengthening and advancing Florida’s economy by improving the competitiveness, productivity and technological performance of its manufacturing sector, with an emphasis on small- and medium-sized firms. It accomplishes this by providing services focused on three principal value streams: technology adoption, talent development, and business growth. FloridaMakes is the representative of the Manufacturing Extension Partnership (MEP) National Network in the state of Florida, a program of the National Institute of Standards and Technology, an agency of the U.S. Department of Commerce. For more information, visit www.FloridaMakes.com.

FloridaMakes Partnership Announced2024-08-30T11:39:42-04:00

Cyber Florida and SimSpace Featured on National News

Cyber Florida and our ARCS Ranger partner, SimSpace, have recently been featured in national news stories about the use of AI in the nation’s cybersecurity efforts. We’re proud to be at the forefront of statewide cybersecurity enhancement efforts.

Learn more about what the ARCS Range can do in this two-part Fox News story (click to watch on FoxNews.com).

Cyber Florida and SimSpace Featured on National News2024-09-20T12:35:25-04:00

Cyber Florida Launches Timely Cybersecurity Policy Podcast

chat:CYBR podcast graphic

chat:CYBR offers expert insights and discussion for daily life

August 6, 2024—Tampa, Fla—Cyber Florida at USF has launched chat:CYBR, Cyber Florida’s policy podcast, dedicated to exploring the intersection of cybersecurity and policy making. chat:CYBR delves into the complex landscape of cybersecurity policy, offering expert insights and discussions on the most pressing issues facing today’s digital world.

From debates on data privacy and encryption to discussions on defending critical infrastructure and combating cybercrime, chat:CYBR equips leaders with the knowledge and understanding needed to make informed decisions and shape effective cybersecurity policies. Whether a legislator crafting new laws, a government official implementing cybersecurity strategies, or a policy advisor navigating the complexities of digital security, chat:CYBR is the go-to resource for staying ahead in the evolving realm of cybersecurity policy.

Join Cyber Florida hosts James Jacobs and Jordan Deiuliis as they unravel the challenges, explore innovative solutions, and chart the course toward a safer and more resilient digital future. Each episode takes you beyond the jargon and technical details, focusing on how cyber policy impacts our daily lives, businesses, and communities. chat:CYBR offers clear, accessible insights to keep you informed and empowered in the digital age so listeners can discover how new policies might affect their online behavior, what businesses need to know to stay compliant, and how governments are shaping the future of cybersecurity.

chat:CYBR podcasts can be found on the Cyber Florida website at https://cyberflorida.org/chatcybr/, on the Cyber Florida YouTube channel at https://www.youtube.com/@cybersecurityfl, or on your favorite podcast platforms.

ABOUT CYBER FLORIDA
The Florida Center for Cybersecurity at the University of South Florida, commonly referred to as Cyber Florida at USF, was established by the Florida Legislature in 2014. Its mission is to position Florida as a national leader in cybersecurity through comprehensive education, cutting-edge research, and extensive outreach. Cyber Florida leads various initiatives to inspire and educate both current and future cybersecurity professionals, advance applied research, and enhance cybersecurity awareness and safety of individuals and organizations.

Cyber Florida Launches Timely Cybersecurity Policy Podcast2024-08-08T14:47:44-04:00

Innovative Virtual Cyber Program for Florida Public Schools

Teaching Digital Natives

Cyber Florida and Teaching Digital Natives Introduce Innovative Virtual Cyber Program for Florida Public Schools

No-cost curriculum supports Florida legislative requirements

July 15, 2024—Tampa, Fla— The Florida Center for Cybersecurity, also known as Cyber Florida at USF, and Teaching Digital Natives are delighted to introduce a collaboration to bring a new program to Florida Public Schools, titled Cyber Hygiene and Digital Citizenship. Developed by Teaching Digital Natives, this innovative virtual learning program features a gamified, interactive virtual reality environment designed for elementary and middle school-aged students.

In response to recent Florida legislation, the program includes curriculum covering social media etiquette to meet the mandated requirements for instruction on the social, emotional, and physical effects of social media.

To encourage students to learn about good cybersecurity practices and consider cybersecurity as a potential career path, Cyber Florida at USF is sponsoring a substantial number of seats on a first come – first serve basis in Florida public schools.

The virtual reality experience is currently offered in both English and Spanish languages and incorporates real-life locations where cyber threats are likely to take place, including in home, school, and even a local restaurant. One of the advantages of the digital curriculum is its agility. The Cyber Hygiene and Digital Citizenship course can be run synchronous or asynchronous allowing flexibility to complete on the student’s own timeline.

The program covers four core modules that include 20 lessons, five-to-seven minutes each, for about two hours of learning. These short and engaging lessons are designed to keep the attention of students and increase their learning retention.

Cyber Florida at USF is dedicated to advancing cybersecurity across Florida for grades K-12, leading cyber workforce development initiatives, and facilitating advanced applied research. Cyber Florida also engages millions through awareness campaigns and resources, safeguarding vulnerable populations and organizations.

Cyber Florida at USF Director Ernie Ferraresso says, “Incorporating Cyber Hygiene and Digital Citizenship highlights our commitment to integrate cybersecurity awareness and career education in Florida’s public schools while fulfilling our broader mission to lead the nation in cybersecurity education, research, and community engagement.”

Teaching Digital Natives is a non-profit educational initiative that provides technology, cybersecurity and digital literacy for kids. Its mission is to educate today’s youth and families and retool underserved communities to mitigate the dangers of the online world. It also aims to cultivate a strong technology workforce, making the Internet a more secure experience for everyone.

Teaching Digital Natives Director of Outreach Danielle Reyes says, “Our immersive, device-agnostic platform was created after years of research and development with leading professionals in the cybersecurity and education industries and aligns with the national standards for cybersecurity education. Additionally, our program supports the instructional requirements of House Bill 379, ensuring comprehensive education on the effects of social media. We are so excited to partner with Cyber Florida at USF to bring this program to Florida Public Schools at no cost to them.”

For more information and to submit a registration request, visit: https://www.teachingdigitalnatives.org/cyber-fl-program/.

ABOUT CYBER FLORIDA
The Florida Center for Cybersecurity at the University of South Florida, commonly referred to as Cyber Florida at USF, was established by the Florida Legislature in 2014. Its mission is to position Florida as a national leader in cybersecurity through comprehensive education, cutting-edge research, and extensive outreach. Cyber Florida leads various initiatives to inspire and educate both current and future cybersecurity professionals, advance applied research, and enhance cybersecurity awareness and safety of individuals and organizations.

ABOUT TEACHING DIGITAL NATIVES
Founded in Miami in 2017, Teaching Digital Natives is a nonprofit initiative focused on equipping youth with essential skills in technology, cybersecurity, soft skills, and leadership. Teaching Digital Natives is dedicated to empowering young people and families with the knowledge and tools needed to navigate the online world safely and confidently, fostering a secure digital environment for future generations.

Innovative Virtual Cyber Program for Florida Public Schools2024-08-06T13:05:16-04:00

Update to Program to Enhance Cybersecurity

Cyber Florida Announces Update to Program to Enhance Cybersecurity for Critical Infrastructure Organizations

The Critical Infrastructure Protection program assessment aligns with the recently released National Institute of Standards and Technology Cybersecurity Framework 2.0

June 6, 2024—Tampa, Fla—Cyber Florida, in partnership with Idaho National Laboratory (INL), has updated its Critical Infrastructure Protection (CIP) program to align with the recently released National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0, widely used to reduce cybersecurity risk across public and private sectors and subsectors. Cyber Florida’s multi-assessment platform leverages the Department of Homeland Security’s Cyber Security Evaluation Tool’s (CSET®) containing both the NIST 2.0 CSF Standard Question Set and Ransomware Readiness Assessment modules. The tools and resources available through the CIP program are state-funded and provided at no charge for Florida’s private and public critical infrastructure organizations.

NIST CSF 2.0 is designed for all audiences, businesses, critical infrastructure (CI) sectors, and organizations, regardless of their degree of cybersecurity sophistication. NIST CSF 2.0 has added governance to the CSF’s core guidance to help organizations assess and achieve their cybersecurity goals.

“Since October 2022, more than 655 Florida organizations, companies, businesses, and government agencies have participated in the CIP program,” said Bryan Langley, Lead Program Manager at Cyber Florida. “We continue to support, develop and adopt greater cybersecurity measures and services to support the State of Florida’s public and private sector CI owners and operators.”

The State of Florida’s Legislature funded the risk assessment effort to support the state’s public and private sector entities with numerous, no-cost benefits for participating organizations, companies, and businesses. The assessment covers the NIST CSF 2.0 desired outcomes and provides several reports detailing an organization’s strengths and weaknesses to determine and leverage cyber risk reduction resources from Florida agencies, universities, and colleges. Measuring success comes from both the improvements made by the participants based on their individual reports and using the customized statewide dashboard (visualization tool) developed by INL to analyze CI sector/subsector risk across the state.

The CIP program is intended to assist small and medium-sized enterprises and resource-constrained county and municipal government entities in implementing basic cybersecurity protocols and policies to achieve a fundamental cybersecurity posture. This comprehensive initiative is designed to fortify the cybersecurity resilience of public and private critical infrastructure across the state.

In an era of increasing cyber threats and incidents, safeguarding critical infrastructure is paramount. The CIP program aims to empower organizations by providing high-quality cybersecurity resources, training, and support to defend against evolving cyber risks and recover from incidents. The resources available on the platform include the following:

  • A 20-question NIST CSF and DHS Ransomware Readiness Assessment (RRA) aligned entry-level assessment based on the most-reported cybersecurity gaps from the initial statewide risk assessment period between October 2022 and June 2023.
  • A Cybersecurity Incident Response Plan Template to help organizations think through and plan how to recover from a cyber incident.
  • A 154-question assessment that covers key cybersecurity desired outcomes and practices outlined in the NIST CSF 2.0 and the DHS RRA.

To learn more about the CIP program and how your organization can participate, please visit the program’s official webpage: https://cyberflorida.org/cip or contact the program lead, Bryan Langley at bjlangley@cyberflorida.org.

ABOUT CYBER FLORIDA
The Florida Center for Cybersecurity at the University of South Florida, commonly referred to as Cyber Florida at USF, was established by the Florida Legislature in 2014. Its mission is to position Florida as a national leader in cybersecurity through comprehensive education, cutting-edge research, and extensive outreach. Cyber Florida leads various initiatives aimed at inspiring and educating both current and future cybersecurity professionals, advancing industry research, and enhancing cybersecurity awareness and safety of individuals and organizations.

Update to Program to Enhance Cybersecurity2024-08-05T11:14:04-04:00

RedLine Stealer Malware Analysis

I. Targeted Entities

  • Opportunistic (any industry)

II. Introduction

RedLine Stealer is a malware family written in C# that harvests autocomplete data, such as saved credentials and financial information, from web browsers. It can also steal system information such as location, hardware configuration, and security software data.

III. Background Information

Redline Stealer (RLS) is a popular piece of malware that operates on a malware-as-a-service (MaaS) model and is sold through underground forums for approximately $100 (Unnikrishnan). Cyber criminals are able to use this software to gather a vast range of sensitive data from Gecko-based and Chromium-based web browsers. This data includes saved credentials, financial information, and cookies, which allow attackers to access various accounts ranging from social media to cryptocurrency wallets (Meskauskas).

Telemetry data, collected by CloudSEK, has picked up deployment of RLS via Regsvcs.exe on Windows systems. The content of the Regsvcs.exe process, in suspended state, is replaced by the loader using a process hollowing technique. This allows for the portable executable of RLS to be mapped into the Regsvcs.exe process, where thread contexts can be manipulated to point to RLS’s entry location. Once complete, RLS is able to masquerade as a legitimate process on the system (Unnikrishnan).

Fake software posing as legitimate software is often used to spread malware like RLS, and eSentire’s Threat Response Unit (eTRU) has observed such a case where RLS is being distributed via a fake version of AnyDesk (eSentire). The legitimate version of AnyDesk’s website was copied to a malicious website, where a victim would download an installer as an ISO image file that has been padded with junk data. This padding is done to bypass file size limitations imposed by sandboxes and antiviruses (eSentire). Once the victim runs the installer, several commands are executed to run obfuscated files that check for antivirus software, communicate with the attacker’s command-and-control servers, and read the victim’s data (eSentire).

RLS comes with several more features other than stealing data like saved passwords. Its primary targets are the user’s desktop and documents directories, where it looks for cryptocurrency data, like crypto wallets, through more than 40 browser extensions. It captures a screenshot of the desktop, as well as collects Discord tokens and user data from the Steam. Beyond financial data, RLS can retrieve system information such as username, processor and memory information, installed browsers and antivirus programs, and currently running processes (Unnikrishnan).

IV. Cyber Florida SOC Operations

After initial malware execution, Cyber Florida has observed multiple executables dropped by a self-extracting RAR file. These executables, 123.exe and 321.exe work together to create two vbc.exe child processes to carry out the malicious code. The process vbc.exe appears to attempt communication with targeted IP addresses and ports and with one of those communications, Cyber Florida observed what appeared to be the creation of “bebra.exe” but upon a hex content review of the file, only the ASCII string “Hello” was present. It is suspected that this process may be attempting to establish some sort of communication and then leads to a program crash by design. A hypothesis is that the “bebra.exe” file may just be a place holder until actual binary content is needed or wanted by the malware. A review of vbc.exe appears to be a legitimate binary that may have been abused and injected into. Vbc.exe is known as the Visual Basic Compiler and used with the .Net Framework. The tactic of injecting into a known good process may be a way for an attacker’s malware to evade detection. The vbc.exe processes did have portions of memory that had RWX (Read, Write, and Execute) permissions. These sections of memory did have binary content and those were extracted and analyzed. Cyber Florida uploaded both files to VirusTotal and the following binary file was already detected:

https://www.virustotal.com/gui/file/a82732b71779c41df6b105ffe98f385b53d6bd64d783d6cb3caac9be3270d783/details

However, the following was not seen on VirusTotal until Cyber Florida uploaded the file for review:

https://www.virustotal.com/gui/file/f179a2d8bc7ab6cd32a8c1f95988d77fb1381072ac92f099047f7395cae84115

Network Traffic

This communication was the first observed network connection from the victim system to a potential attacker-controlled system. The communication was to 65.21.213.208:3000. The TCP stream below shows a POST action to the system with no real content. The server replies back with a “Hello” response. Of interest the “bebra.exe” file identified in the victim’s AppData/Roaming folder was not a binary of any sort and when viewed in a hex editor only had an ASCII string of “Hello”. Also, of interest with “bebra.exe” is that the Content-Type was of application/x-msdownload, which would be associated with a binary file.

The following communication was the second observed network connection from the victim system to a potential attacker-controlled system. The traffic was to 51.89.207.166:47909. The observed traffic appeared to have no successful connections made. However, this IP and specified port have been identified as potentially malicious through other threat intelligence sources.

Similar Observations Seen From ArechClient2

In November 2022, the Cyber Florida SOC released a threat advisory on Arechclient2, and provided presentations on their analysis. During analysis of Arechclient2 a Base64 string containing, once de-obfuscated, various Chrome extensions associated to Crypto wallets. Arechclient2 and RedLine appear to have similar functionality such as stealing browser data like usernames, passwords, and other related content such as information related to crypto wallets. When analyzing the current version of RedLine a similar Base64 string was found. The following string is base64 encoded data and the decoded results, via CyberChef. This further shows similarity between the two malware variants.

ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkY
W9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZm
FkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiY
mxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21
kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2J
sbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam
5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbW
ljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZ
GRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZ
m9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWV
mcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZn
YmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbgpiZm5hZWxtb21laW1obHBtZ2puam9waGhwa2tvbGpwYXxQaGFudG9tCmZoaWxhaGVpbWdsaWduZGRramdvZm
tjYmdla2hlbmJofE94eWdlbgptZ2Zma2ZiaWRpaGpwb2FvbWFqbGJnY2hkZGxpY2dwbnxQYWxpV2FsbGV0CmFvZGtrYWduYWRjYm9iZnBnZ2ZuamVvbmdlbWpiamNhfE
JvbHRYCmtwZm9wa2VsbWFwY29pcGVtZmVuZG1kY2dobmVnaW1ufExpcXVhbGl0eVdhbGxldApobWVvYm5mbmZjbWRrZGNtbGJsZ2FnbWZwZmJvaWVhZnxYZGVma
VdhbGxldApscGZjYmprbmlqcGVlaWxsaWZua2lrZ25jaWtnZmhkb3xOYW1pV2FsbGV0CmRuZ21sYmxjb2Rmb2JwZHBlY2FhZGdmYmNnZ2ZqZm5tfE1haWFyRGVGaVdh
bGxldApmZm5iZWxmZG9laW9oZW5ramlibm1hZGppZWhqaGFqYnxZb3JvaVdhbGxldAppYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb2lob2ZlY3xUcm9ubGluawpqYm
Rhb2NuZWlpaW5tamJqbGdhbGhjZWxnYmVqbW5pZHxOaWZ0eVdhbGxldApua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnxNZXRhbWFzawphZmJjYmpw
YnBmYWRsa21obWNsaGtlZW9kbWFtY2ZsY3xNYXRoV2FsbGV0CmhuZmFua25vY2Zlb2ZiZGRnY2lqbm1obmZua2RuYWFkfENvaW5iYXNlCmZoYm9oaW1hZWxib2hwa
mJibGRjbmdjbmFwbmRvZGpwfEJpbmFuY2VDaGFpbgpvZGJmcGVlaWhka2JpaG1vcGtiam1vb25mYW5sYmZjbHxCcmF2ZVdhbGxldApocGdsZmhnZm5oYmdwamRl
bmpnbWRnb2VpYXBwYWZsbnxHdWFyZGFXYWxsZXQKYmxuaWVpaWZmYm9pbGxrbmpuZXBvZ2poa2dub2FwYWN8RXF1YWxXYWxsZXQKY2plbGZwbHBsZWJkamplb
mxscGpjYmxtamtmY2ZmbmV8SmF4eHhMaWJlcnR5CmZpaGtha2ZvYmtta2pvanBjaHBmZ2NtaGZqbm1uZnBpfEJpdEFwcFdhbGxldAprbmNjaGRpZ29iZ2hlbmJiYWRk
b2pqbm5hb2dmcHBmanxpV2FsbGV0CmFta21qam1tZmxkZG9nbWhwamxvaW1pcGJvZm5mamlofFdvbWJhdApmaGlsYWhlaW1nbGlnbmRka2pnb2ZrY2JnZWtoZW5ia
HxBdG9taWNXYWxsZXQKbmxibW5uaWpjbmxlZ2tqanBjZmpjbG1jZmdnZmVmZG18TWV3Q3gKbmFuam1ka25oa2luaWZua2dkY2dnY2ZuaGRhYW1tbWp8R3VpbGRXYW
xsZXQKbmtkZGduY2RqZ2pmY2RkYW1mZ2NtZm5saGNjbmltaWd8U2F0dXJuV2FsbGV0CmZuamhta2hobWtiamtrYWJuZGNubm9nYWdvZ2JuZWVjfFJvbmluV2FsbGV0C
mFpaWZibmJmb2JwbWVla2lwaGVlaWppbWRwbmxwZ3BwfFRlcnJhU3RhdGlvbgpmbm5lZ3BobG9iamRwa2hlY2Fwa2lqamRrZ2NqaGtpYnxIYXJtb255V2FsbGV0CmFlY
WNoa25tZWZwaGVwY2Npb25ib29oY2tvbm9lZW1nfENvaW45OFdhbGxldApjZ2Vlb2RwZmFnamNlZWZpZWZsbWRmcGhwbGtlbmxma3xUb25DcnlzdGFsCnBkYWRqa2Z
rZ2NhZmdiY2VpbWNwYmthbG5mbmVwYm5rfEthcmRpYUNoYWluCmJmbmFlbG1vbWVpbWhscG1nam5qb3BoaHBra29sanBhfFBoYW50b20KZmhpbGFoZWltZ2xpZ25
kZGtqZ29ma2NiZ2VraGVuYmh8T3h5Z2VuCm1nZmZrZmJpZGloanBvYW9tYWpsYmdjaGRkbGljZ3BufFBhbGlXYWxsZXQKYW9ka2thZ25hZGNib2JmcGdnZm5qZW9uZ
2VtamJqY2F8Qm9sdFgKa3Bmb3BrZWxtYXBjb2lwZW1mZW5kbWRjZ2huZWdpbW58TGlxdWFsaXR5V2FsbGV0CmhtZW9ibmZuZmNtZGtkY21sYmxnYWdtZnBmYm9pZ
WFmfFhkZWZpV2FsbGV0CmxwZmNiamtuaWpwZWVpbGxpZm5raWtnbmNpa2dmaGRvfE5hbWlXYWxsZXQKZG5nbWxibGNvZGZvYnBkcGVjYWFkZ2ZiY2dnZmpmbm18
TWFpYXJEZUZpV2FsbGV0CmJoZ2hvYW1hcGNkcGJvaHBoaWdvb29hZGRpbnBrYmFpfEF1dGhlbnRpY2F0b3IKb29ramxia2lpamluaHBtbmpmZmNvZmpvbmJmYmdhb2
N8VGVtcGxlV2FsbGV0

ffnbelfdoeiohenkjibnmadjiehjhajb|YoroiWallet
ibnejdfjmmkpcnlpebklmnkoeoihofec|Tronlink
jbdaocneiiinmjbjlgalhcelgbejmnid|NiftyWallet
nkbihfbeogaeaoehlefnkodbefgpgknn|Metamask
afbcbjpbpfadlkmhmclhkeeodmamcflc|MathWallet
hnfanknocfeofbddgcijnmhnfnkdnaad|Coinbase
fhbohimaelbohpjbbldcngcnapndodjp|BinanceChain
odbfpeeihdkbihmopkbjmoonfanlbfcl|BraveWallet
hpglfhgfnhbgpjdenjgmdgoeiappafln|GuardaWallet
blnieiiffboillknjnepogjhkgnoapac|EqualWallet
cjelfplplebdjjenllpjcblmjkfcffne|JaxxxLiberty
fihkakfobkmkjojpchpfgcmhfjnmnfpi|BitAppWallet
kncchdigobghenbbaddojjnnaogfppfj|iWallet
amkmjjmmflddogmhpjloimipbofnfjih|Wombat
fhilaheimglignddkjgofkcbgekhenbh|AtomicWallet
nlbmnnijcnlegkjjpcfjclmcfggfefdm|MewCx
nanjmdknhkinifnkgdcggcfnhdaammmj|GuildWallet
nkddgncdjgjfcddamfgcmfnlhccnimig|SaturnWallet
fnjhmkhhmkbjkkabndcnnogagogbneec|RoninWallet
aiifbnbfobpmeekipheeijimdpnlpgpp|TerraStation
fnnegphlobjdpkhecapkijjdkgcjhkib|HarmonyWallet
aeachknmefphepccionboohckonoeemg|Coin98Wallet
cgeeodpfagjceefieflmdfphplkenlfk|TonCrystal
pdadjkfkgcafgbceimcpbkalnfnepbnk|KardiaChain
bfnaelmomeimhlpmgjnjophhpkkoljpa|Phantom
fhilaheimglignddkjgofkcbgekhenbh|Oxygen
mgffkfbidihjpoaomajlbgchddlicgpn|PaliWallet
aodkkagnadcbobfpggfnjeongemjbjca|BoltX
kpfopkelmapcoipemfendmdcghnegimn|LiqualityWallet
hmeobnfnfcmdkdcmlblgagmfpfboieaf|XdefiWallet
lpfcbjknijpeeillifnkikgncikgfhdo|NamiWallet
dngmlblcodfobpdpecaadgfbcggfjfnm|MaiarDeFiWallet
ffnbelfdoeiohenkjibnmadjiehjhajb|YoroiWallet
ibnejdfjmmkpcnlpebklmnkoeoihofec|Tronlink
jbdaocneiiinmjbjlgalhcelgbejmnid|NiftyWallet
nkbihfbeogaeaoehlefnkodbefgpgknn|Metamask
afbcbjpbpfadlkmhmclhkeeodmamcflc|MathWallet
hnfanknocfeofbddgcijnmhnfnkdnaad|Coinbase
fhbohimaelbohpjbbldcngcnapndodjp|BinanceChain
odbfpeeihdkbihmopkbjmoonfanlbfcl|BraveWallet
hpglfhgfnhbgpjdenjgmdgoeiappafln|GuardaWallet
blnieiiffboillknjnepogjhkgnoapac|EqualWallet
cjelfplplebdjjenllpjcblmjkfcffne|JaxxxLiberty
fihkakfobkmkjojpchpfgcmhfjnmnfpi|BitAppWallet
kncchdigobghenbbaddojjnnaogfppfj|iWallet
amkmjjmmflddogmhpjloimipbofnfjih|Wombat
fhilaheimglignddkjgofkcbgekhenbh|AtomicWallet
nlbmnnijcnlegkjjpcfjclmcfggfefdm|MewCx
nanjmdknhkinifnkgdcggcfnhdaammmj|GuildWallet
nkddgncdjgjfcddamfgcmfnlhccnimig|SaturnWallet
fnjhmkhhmkbjkkabndcnnogagogbneec|RoninWallet
aiifbnbfobpmeekipheeijimdpnlpgpp|TerraStation
fnnegphlobjdpkhecapkijjdkgcjhkib|HarmonyWallet
aeachknmefphepccionboohckonoeemg|Coin98Wallet
cgeeodpfagjceefieflmdfphplkenlfk|TonCrystal
pdadjkfkgcafgbceimcpbkalnfnepbnk|KardiaChain
bfnaelmomeimhlpmgjnjophhpkkoljpa|Phantom
fhilaheimglignddkjgofkcbgekhenbh|Oxygen
mgffkfbidihjpoaomajlbgchddlicgpn|PaliWallet
aodkkagnadcbobfpggfnjeongemjbjca|BoltX
kpfopkelmapcoipemfendmdcghnegimn|LiqualityWallet
hmeobnfnfcmdkdcmlblgagmfpfboieaf|XdefiWallet
lpfcbjknijpeeillifnkikgncikgfhdo|NamiWallet
dngmlblcodfobpdpecaadgfbcggfjfnm|MaiarDeFiWallet
bhghoamapcdpbohphigoooaddinpkbai|Authenticator
ookjlbkiijinhpmnjffcofjonbfbgaoc|TempleWallet

Inject VBC 1 Process

The following shows metadata associated to the injected binary for the first VBC process. Of note is essentially the future timestamp value of the binary. Also reviewing some of content statically, did not reveal as much data as dynamic did. For example, attacker IP addresses and other key findings were not identified in a static manner. The binary appears to have been compiled in .NET and the source code of the injected binary would be the next step for analysis.

The following string was extracted from ProcessHacker as the malware was running. This string shows the IP address and specified port of interest, along with the POST action observed in Wireshark. This activity also lines up with the ProcMon (ProcessMonitor) logs that were generated from this activity.

Inject VBC 2 Process

The following shows metadata associated to the injected binary for the second VBC process. Of note is essentially the no timestamp value of the binary. Also reviewing some of content statically, did not reveal as much data as dynamic did. For example, attacker IP addresses and other key findings were not identified in a static manner.

The following screenshots were taken from ProcessHacker as the malware was running. We can observe the IP address and specified port of interest as strings and represented as Base64 as well.

Overall Order of VBC Activity

The following is a brief high-level (non-exhaustive) order  of activity as it relates to vbc.exe execution of malicious activity. Taken from ProcMon logs.

V. MITRE ATT&CK

  • T1005 – Data from Local System
    Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration. Adversaries may do this using a Command and Scripting Interpreter, such as cmd as well as a Network Device CLI, which have functionality to interact with the file system to gather information. Adversaries may also use Automated Collection on the local system.
  • T1012 – Query Registry
    Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software. The Registry contains a significant amount of information about the operating system, configuration, software, and security.[1] Information can easily be queried using the Reg utility, though other means to access the Registry exist. Some of the information may help adversaries to further their operation within a network. Adversaries may use the information from Query Registry during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
  • T1552.001 – Unsecured Credential; Credentials in Files
    Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls.
  • T1082 – System Discovery
    An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
  • T1055 – Process Injection
    Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
  • T1095 –Non-Application Layer Protocol
    Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive
  • T1059 – Command and Scripting Interpreter
    Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.

VI. Recommendations

  • Phishing awareness training
    Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should alsobe educated about new types of attacks and schemes to mitigate risk. Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
  • Set antivirus programs to conduct regular scans
    Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures
  • Malware monitoring
    Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.
  • Strong cyber hygiene
    Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified. Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
  • Turn on endpoint protection
    Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.
  • Network Monitoring
    Review network logs, payload, etc. for related IP addresses and associated network parameters.

VII. Indicators of Compromise (IOCs)

VII. Additional OSINT Information

4efdf3a4c19a94b2e58f5212124cb161.exe
Note: the initial executable may have a different file name.

123.exe
https://www.virustotal.com/gui/file/d3b64baa18214715f544c836b59e2ca839e86 95f93706476033a1e8c56dd7287

321.exe
https://www.virustotal.com/gui/file/aadbf6b7fd77075e6355a209c4cbd8b1049f21eb69f503203bd6fd7a7a085dc6

Vbc.exe.bin (injected 1 process)
https://www.virustotal.com/gui/file/a82732b71779c41df6b105ffe98f385b53d6bd64d783d6cb3caac9be3270d783

Vbc.exe2.bin (injected 2 process)
https://www.virustotal.com/gui/file/f179a2d8bc7ab6cd32a8c1f95988d77fb1381072ac92f099047f7395cae84115?nocache=1

IX. References

eSentire. Esentire Threat Intelligence Malware Analysis: Redline Stealer. eSentire. (n.d.). Retrieved February 10, 2023, from https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-redline-stealer

Meskauskas, T. (2023, February 1). Redline Stealer malware. RedLine Stealer Malware – Malware removal instructions (updated). Retrieved February 10, 2023, from https://www.pcrisk.com/removal-guides/17280-redlinestealer-malware

Unnikrishnan, A., & CloudSEk. (2023, January 26). Technical analysis of the redline stealer: CloudSEK. RSS. Retrieved February 10, 2023, from https://cloudsek.com/blog/technical-analysis-of-the-redline-stealer

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Sreten Dedic, EJ Bulut

To learn more about Cyber Florida visit: www.cyberflorida.org

RedLine Stealer Malware Analysis2024-07-11T11:30:59-04:00

USF 2023 Cyber Summer Camps Open for Registration

Registration for the 2023 University of South Florida cyber summer camps is now open!

If you’re looking for a fun and educational way to keep your K-12 student occupied this summer, check out the list of USF cyber camps available for elementary, middle, and high schoolers. These camps will provide a variety of immersive, hands-on activities to help students gain cyber skills and learn about the potential of a career in cybersecurity.

USF 2023 Cyber Summer Camps Open for Registration2023-04-05T17:27:00-04:00

CONTACT US

Cyber Florida at USF
4202 E. Fowler Avenue, ISA7020
Tampa, FL 33620

Office meetings by appointment only

PRIVACY POLICY

Copyright 2026 The Florida Center for Cybersecurity at the University of South Florida. Information on this website is made available for general educational purposes only and should not be used in lieu of obtaining competent legal advice from a licensed attorney or cybersecurity professional with sufficient expertise necessary to address your specific needs. Use of this website does not create any special or fiduciary relationship between you and the Florida Center for Cybersecurity or the University of South Florida.