In the ever-evolving landscape of cybersecurity threats, one name has increasingly become synonymous with stealth and precision: RedLine Stealer. This malicious software, often referred to as a Trojan, is designed to infiltrate systems, silently siphoning off valuable data while remaining largely undetected by its victims. In this blog, we’ll delve into what RedLine Stealer is, how it operates, and what you can do to protect yourself from this insidious threat.
How Does RedLine Stealer Work?
RedLine Stealer typically enters a system through phishing emails, malicious websites, or bundled software downloads. Once installed, it quickly gets to work, scouring the system for valuable information. Here’s a closer look at what it targets:
- Login Credentials: RedLine can harvest usernames and passwords stored in web browsers, FTP clients, and other software.
- Autofill Data: Information like addresses, phone numbers, and credit card details saved in browser autofill forms are also at risk.
- Cryptocurrency Wallets: The Stealer targets cryptocurrency wallets, potentially stealing private keys or wallet credentials.
- System Information: It gathers detailed information about the infected system, including the operating system, hardware specifications, installed software, and even security measures.
- Files and Documents: RedLine can search for specific file types, such as documents or spreadsheets, and exfiltrate them to the attacker.
Static And Dynamics Analysis
File Properties:
Hash:
MD5 12d8e993204cd8a39b7b5938ea6369eb
SHA256: 11c350a41232b6adfe9634d8d9e2afacac1e5e06bd20ee1fbc480a3987b83ab03
File Type: Win32 exe
PEiD packer: .NET executable
File size: 2.75 MB
I have downloaded this sample from Any.run. The link is given to download the sample at the end of article.
Infection Process
The downloaded executable once executed, it will exit immediately and the new process starts as MSBuild.exe’. Malicious code is injected into it.
The sample I have downloaded is obfuscated using Intellilock software.
To deobfuscate the code I have used pe-sieve tool. Its really easy and helpful. To perform this, we need to run executable file and run >pe-sieve /pid <pid> command like below.
This will create the folder name PID and will copy the exe file.
I am using dnSpyEx for debugging the executable file 400000.MSBuild.exe. The assembly name of this file is “Forgiving.exe”
Built in configuration
After deobfuscation of code, below are all the modules used in code.
IP address in config file is C2 server IP. Key is used for decoding the data. This is has been initialised in class Arguments. Its in Base64 format.
While debugging executable, can see the IP address of C2 server is 185.215.113.25 and port 13686
The IP address lookup shows it is from Baie Lazare, Seychelles.
RedLine stealer check regions it is executing in, if the victim is located in one of Commonwealth of Independent States, it exits execution.
Once confirmed the victim is located our of CIS country, its starts collecting all different kind data from victims machine and send to C2 server.
Browser data
It looks for different browsers whether installed on machine and starts collecting browser login data, cookies and browser history.
Browser List:
- Google Chrome
- Microsoft Edge
- Opera
- Maple Studio, Chrome Plus
- Iridium
- 7Star
- CentBrowser
- Chedot
- Vivaldi
- Kometa
- Elements Browser
- Epic Privacy Browser
- Uran
- Sleipnir
- Citrio
- Coowon
- liebao
- QIP Surf
- Orbitum
- Comodo
- Amigo
- Torch
- Yandex
- 360 Browser
- Maxthon
- k-melon
- Sputnik
- Nichrome
- CocCoc
- Chromodo
- Atom
- Brave browser
- Ghost Browser
- Baidu Browser
- CryptoTab Browser
- Lulumi Browser
- Mozilla
- QQBrowser
- WaterFox
- Ghostery Browser
- Netscape
- Flashpeak
Crypto Wallets
Stealer looks for different wallets installed on victims machine.
- Armory
- Atomic
- Binance
- Coinomi
- Electrum
- Etherium
- Exodus
- Garuda
- com.liberty.jaxx
- Monero
File Collector
It search for different files with extensions on Desktop, Documents folders and upload to C2.
File Types:
- .txt
- .doc
- .key
- seed
- wallet
Screen Capture
RedLine stealer captures user screen resolution and takes screenshots and send to C2 server.
System Information
It also collects information from the compromised system.
- Username
- hostname
- Input language and date time
- Installed antivirus program
- Running process
- OS version
- Monitor size
Download and Execute payload
Redline stealer has classes DownloadUpdate and DownloadAndExecuteUpdate. DownloadUpdate download data using webclient and DownloadAndExecuteUpdate download data using webclient and execute it.
Discord & Telegram
It looks for Discord data and telegram data on victims machine.
NordVPN OpenVPN and ProtonVPN
It looks for configuration files of all three VPN applications.
Filezilla FTP Application
Stealer look for sitemanager.xml file which stores username and password and recentservers.xml which stores information about which FTM servers you have connected to. If its available on victims machines, it will extract and send to C2.
Antivirus
Stealer collect the information about installed anti malware program installed on machine and send it to C2.
Redline stealer use http[:]//tempuri[.]org/Entity/Id[1-24] to communicate to C2 server. When access this URL in browser it redirects to bing.com
VirusTotal score for this RedLine stealer is 60/75
Indicators of Compromise
Hashes:
- 12d8e993204cd8a39b7b5938ea6369eb
- 11c350a41232b6adfe9634d8d9e2afacac1e5e06bd20ee1fbc480a3987b83ab03
IP Address:
- 185.215.113.25
- 23.45.12.19
- 217.65.2.14
Protecting Against RedLine Stealer
Given the sophisticated nature of the RedLine Stealer, it’s essential to adopt robust security measures to protect yourself and your organization. Here are some key steps to consider:
Use Up-to-Date Security Software: Ensure that your antivirus and anti-malware software are regularly updated to detect and block the latest threats.
Be Cautious with Emails: Avoid opening attachments or clicking on links in emails from unknown or suspicious sources. Always verify the sender’s identity before taking any action.
Avoid Downloading Software from Untrusted Sources: Only download software from reputable websites or official app stores. Be cautious of freeware or shareware sites, which may bundle malicious software with legitimate applications.
Regularly Update Your Systems: Keep your operating system, software, and applications up to date with the latest security patches to close vulnerabilities that could be exploited by Trojans like RedLine.
Use Strong, Unique Passwords: Utilize strong, unique passwords for different accounts, and consider using a password manager to store them securely.
Enable Two-Factor Authentication (2FA): Wherever possible, enable 2FA for your online accounts to add an extra layer of security, even if your credentials are compromised.
References:
