Summary: On October 28, 2024, a coordinated international law enforcement operation, Operation Magnus, successfully dismantled the RedLine Stealer malware-as-a-service (MaaS) operation and its clone, META Stealer, leading to the seizure of servers and arrests. This operation follows prior disruptions and investigations into the malware’s infrastructure, revealing insights into its inner workings and the shared origins of both malware families.
Threat Actor: RedLine Operators | RedLine Operators
Victim: Various entities | Various entities
Key Point :
- Operation Magnus resulted in the takedown of RedLine Stealer’s infrastructure and the arrest of key individuals involved in its operation.
- ESET’s research uncovered over 1,000 unique IP addresses used for RedLine control panels and highlighted the shared codebase between RedLine and META Stealer.
- RedLine Stealer operates on a MaaS model, allowing affiliates to easily deploy infostealing campaigns with customizable malware samples.
- Despite the takedown, remnants of RedLine’s operations may continue due to existing panels and cracked versions still in circulation.
- Collaboration between cybersecurity researchers and law enforcement has been crucial in understanding and disrupting the RedLine malware ecosystem.
On October 28th, 2024, the Dutch National police, alongside the FBI, Eurojust, and several other law enforcement organizations, performed a takedown of the infamous RedLine Stealer malware-as-a-service (MaaS) operation, and its clone called META Stealer. This global effort, named Operation Magnus, resulted in the takedown of three servers in the Netherlands, the seizure of two domains, two people being taken into custody in Belgium, and the unsealing of charges against one of the alleged perpetrators in the United States.
Back in April 2023, ESET participated in a partial disruption operation of the RedLine malware, which consisted of the removal of several GitHub repositories used as dead-drop resolvers for the malware’s control panel. Around that time, we investigated previously undocumented backend modules of this malware family in collaboration with fellow researchers at Flare. These modules don’t interact directly with the malware, but rather handle authentication and provide functionality for the control panel.
Since RedLine has now been taken down, we are revealing our findings from 2023 publicly, along with some more recent discoveries that were made based on source code and samples shared with us by the Dutch National Police.
Note that even with the takedown, RedLine may continue working to some degree for a time: panels that were already running would still be able to receive data, even if unable to build new samples or reconnect after logging out. Moreover, there are also old, cracked copies of the malware that might still work. Because of these factors, we are describing the RedLine operation as if it is an ongoing activity.
Key points of the blogpost:
- In 2023, ESET researchers, in collaboration with law enforcement, collected multiple modules used to run the infrastructure behind RedLine Stealer.
- We analyzed these previously undocumented modules to provide insight into the internal workings of this malware-as-a-service empire.
- We were able to identify over 1,000 unique IP addresses used to host RedLine control panels.
- The 2023 versions of RedLine Stealer we investigated in detail used the Windows Communication Framework for communication between the components, while the latest version from 2024 uses a REST API.
- Based on our analysis of the source code and backend samples, we have determined that Redline Stealer and META Stealer share the same creator.
RedLine Stealer is information stealing malware first discovered in 2020 by Proofpoint. Rather than being centrally operated, RedLine operates on a MaaS model in which anyone can buy a turnkey infostealer solution from various online forums and Telegram channels. Clients, called affiliates, can opt for a monthly subscription, or a lifetime license; in exchange for their money, they get a control panel that generates malware samples and acts as a C&C server for them. The generated samples can collect a large variety of information, including local cryptocurrency wallets; cookies, saved credentials, and saved credit card details from browsers; and saved data from Steam, Discord, Telegram, and various desktop VPN applications.
Using a ready-made solution makes it easier for the affiliates to integrate RedLine Stealer into larger campaigns. Some notable examples include posing as free downloads of ChatGPT in 2023, and masquerading as video game cheats in the first half of 2024.
Note on terminology used
Because of its MaaS model, any comprehensive discussion of RedLine will involve multiple different components and layers of network infrastructure. To limit any possible confusion, we will use the following terms consistently throughout the text:
- RedLine malware: The RedLine Stealer malware or a sample thereof.
- RedLine panel: GUI control panel used to manage infostealing campaigns.
- RedLine backend: Collection of modules that provide authentication and functionality for the RedLine panel.
- RedLine: The whole malware operation. This includes the RedLine malware, the RedLine panel, and the RedLine backend modules.
- Backend server: A server on which the RedLine backend runs.
- Victim: Entity targeted with the RedLine malware.
- Operator: The individual or team that develops RedLine, sells licenses, and operates the licensing and associated backend infrastructure.
- Affiliate: Entity that operates infostealing campaigns via an instance of the RedLine panel. They usually have a license bought from the operator, but may also use a cracked version of the panel.
Overview
In this blogpost we document modules running on RedLine’s backend servers to provide a greater understanding of the inner workings of this MaaS empire. We also provide some information on the RedLine panel. Figure 1 contains a simplified overview of the whole RedLine operation.
Ordinarily, known samples of RedLine panel distributed to affiliates are heavily packed and virtualized after the first layer of obfuscation is applied. But as we were looking through our telemetry for activity related to RedLine Stealer and its panel, we came across an old version of the RedLine panel that was only obfuscated with .NET Reactor, making it much easier to analyze.
RedLine’s toolset
All the components of RedLine, from the malware itself to the backend authentication server, are written in C# with the .NET framework. The versions we analyzed used the Windows Communication Foundation (WCF) framework to communicate with each other. This framework allows one to define an API using contracts, which are statements applied to classes and interfaces to specify how objects and actions are translated between their representation in the code and the network communications. Thus, programs that interact using this framework must share definitions of these data structures or classes. These shared models proved useful in our analysis of the obfuscated components.
Note that the latest 2024 RedLine version uses a REST API instead of WCF to communicate with the backend.
RedLine panel
This control panel is what affiliates can buy on forums and Telegram channels. Licenses sell for US$150 per month or US$900 for a lifetime license. In exchange for the money, the affiliates get a GUI through which they manage their campaigns, with features to configure what information to collect, create malware samples, view and manage collected information, and integrate with a Telegram bot to sell stolen information.
The 2023 versions of the panel we investigated were heavily obfuscated using DNGuard, a well-known .NET obfuscator, and BoxedApp, a commercial packer and virtualization library. Luckily for us, RedLine used the WCF framework so the panel had to share some classes and interfaces with other components. By analyzing these shared elements from the malware and backend components, which are less protected, we were able to understand a lot of the panel’s functionality despite the protections.
All RedLine panels from 2023 were signed with certificates issued to AMCERT,LLC by Sectigo, which have since been revoked after we reported them. AMCERT,LLC corresponds to a company registered in Armenia that doesn’t seem to have an online presence – quite unusual for a purported software developer.
Authentication
In order to use a RedLine panel, affiliates must first authenticate. Figure 2 shows the login prompt.
The RedLine panels we analyzed use GitHub repositories, like the one in Figure 3, as dead-drop resolvers for their authentication servers. The address of this repository is hardcoded in the panel, but it is not the same for all versions of the panel. Finding and removing several of these repositories in cooperation with GitHub is what enabled us to temporarily disrupt RedLine operations in April 2023. While the removal did not affect the malware’s backend, it forced the operators to distribute new versions of the panels. For a short while after the disruption, they moved the dead-drop resolvers to Pastebin, before choosing to use their own domains in May 2023, as described in our joint talk with Flare at Sleuthcon 2023. In the latest version of the RedLine panel, the threat actors abandoned the dead-drop resolvers completely and simply used a hardcoded URL https://fivto[.]online/secure-api/. More information on the dead-drop resolvers can be found in the Network infrastructure section.
By running the backend server components in a virtual network, we managed to create affiliate accounts and authenticate with our own instance without having to buy a subscription.
The first screen shown to affiliates upon logging in, seen in Figure 4, is filled with ads. While we do not know the exact nature of the ads served by the real authentication servers, we were able to create some in our own instance of the backend server for demonstration purposes. The backend server doesn’t host the actual images present in those ads, only their URLs.
The Black Lists tab allows affiliates to ignore incoming data by country, IP address, Build ID, or HWID (a unique ID computed from a victim machine’s domain name, username, and serial number). Regardless of the exclusions selected here, samples of RedLine Stealer all contain code to prevent execution if the locale is set to one of the following countries: Armenia, Azerbaijan, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Tajikistan, Uzbekistan, Ukraine, and Russia.
The Telegram tab, shown in Figure 5, allows affiliates to configure a Telegram bot to post stolen data to specific chats or channels. The affiliate must provide a valid API token for the bot, and then can select which entries will be shared based on the country, Build ID, OS version, and domains found in cookies or saved logins. The bot can also be configured to share the full logs or only specific information as defined in the Message Format field, and to share statistics with the selected recipients (see Figure 6).
Creating malware samples in the front end
The Builder tab, shown in Figure 7, allows affiliates to create new RedLine Stealer samples by providing a RedLine panel server address, a Build ID, an error message to display, and an image to be used as the icon for the created sample. These last two are optional, with the image serving as the icon of the software RedLine is impersonating, while the error message can be used to mislead the victim as to why the expected application wasn’t started.
The Build ID is used as a campaign identifier and is sent by the samples along with stolen information. While some previously leaked versions of the RedLine panel included an executable to create builds locally, in newer versions this is performed by the backend server. This change makes any leaked or cracked RedLine panel much less useful since affiliates won’t have the ability to create samples to use with it. We describe the build process in the RedLine.Nodes.LoadBalancer section.
RedLine backend
The RedLine backend we analyzed in 2023 consists of two modules. The first one, named RedLine.Nodes.DbController, manages affiliate and advertisement data. Despite its name, this module doesn’t use a traditional database, but rather stores records as Protobuf-encoded objects in individual files, with a specific subdirectory for each type of data. The second module, named RedLine.Nodes.LoadBalancer, functions as the server and provides most of the functionality used by the RedLine panel.
We also found a module called RedLine.MainServer, which is probably the ancestor of RedLine.Nodes.DbController and RedLine.Nodes.LoadBalancer. In later versions, it was split off as a separate module that handles user and advertisement data.
In the 2024 version of the backend, DbController and LoadBalancer have been replaced by a single module named Nodes.Api.
RedLine.Nodes.DbController
In DbController, affiliate data is represented by a class named ClientData, detailed in Table 1.
Table 1. Description of ClientData properties
Attribute | Description |
ID | Unique numeric ID. |
Login | Username. |
Password | Password. |
RegistrationDate | Timestamp of the affiliate account’s creation. |
Activated | Whether the affiliate has bought a license. |
LastActive | Timestamp of the affiliate’s last activity. |
LastIP | IP from which the affiliate’s last activity occurred. Used together with LastActive to prevent authentication if the affiliate’s account was active from another IP address in the last five minutes. We believe this is to prevent account sharing. |
Premium | Unused in the modules we analyzed. |
ActivateUntil | Expiration timestamp of the affiliate’s license. |
BuildKey | Unique string used to identify samples created by the affiliate. |
This is mostly straightforward but presents a few interesting quirks, mainly the way passwords and lifetime licenses are handled.
Looking at the code used to authenticate affiliates (shown in Figure 8) makes it obvious that passwords are stored in cleartext. The submitted password is compared directly to the stored one without any hashing function being involved.
Figure 9 shows that a lifetime license, which affiliates can buy for US$900, is represented by setting the expiration date of a given license to any date after 2025. This is alternatively referred to as a Pro License elsewhere in the code.
RedLine.Nodes.LoadBalancer
As seen in Figure 10, the LoadBalancer module listens on port 8778. This screenshot also shows the handlers defined in the MainPanelService WCF contract. The handlers that are related to affiliate and advertisement data – namely OnSignInInternal, OnConnect, OnCheckExpire, and OnGetPartners – delegate requests to the corresponding handler of DbController. The OnCheckConnect handler is used by the Redline panel to check whether its C&C server is reachable from the exterior. The rest of the handlers all relate to the creation of malware samples.
Sample creation in Redline backend
Since it was first documented in 2020, RedLine Stealer has been rewritten to use the WCF framework, and later a REST API, for network communication. As seen in Figure 11, the internal name for these rewritten versions appears to be RedLine.Reburn.
To create samples of the RedLine Stealer malware, the OnCreateLastBuild handler shown in Figure 10 uses the CreateBuild method from the custom VSBuilder class. When a CreateBuild request is received, the cleartext password for the affiliate’s account is logged to the console. This shows a casual disregard for well-known security practices.
If in the request no port is specified for the C&C server, the builder defaults to port 6677. When building a sample, the code in Figure 12 is used to derive a token from the campaign’s Build ID and the affiliate account’s Build Key. We believe this corresponds to the value of the ns1.Authorization header used in communication between the samples and panel. This header seems to be used by the panel to filter out connections from samples not created by the current account.
The VSBuilder.CreateBuild method uses a local C# solution to create samples. Some of the source files are read into memory to replace specific values before being written back to disk. While we were unable to collect the project’s files, the decompiler output for this method along with that of a RedLine Stealer sample provide enough context to understand that the modified values are:
- C&C address (encrypted),
- Build ID (encrypted),
- fake error message (encrypted),
- decryption key,
- flag to indicate whether to send stolen information in parts or all at once,
- authentication token, and
- assembly name.
Once these values are replaced, Visual Studio is invoked to build the project.
If the affiliate has selected the corresponding option, and has a lifetime license, the compiled executable is obfuscated with the commercially available Babel Obfuscator. In the 2024 version, obfuscation is implemented for all users and is done via .NET Reactor instead.
Finally, a self-signed certificate is generated with the code from Figure 13, and used to sign the executable. The fields of its Distinguished Name (DN) are filled with random dictionary words. The certificates generated this way use the hardcoded password 123321 and have a validity period extending from seven days before their generation to 10 years after.
The LoadBalancer module also provided an OnCreateClipper handler. As the name suggests, this was used to generate clipboard hijacking malware; in this case, it was used to hijack cryptocurrency transactions by replacing wallet addresses in the clipboard with those of attacker-controlled wallets. This functionality has been removed in the latest versions of the Redline backend.
Interestingly, the Builder class also contained dead code to generate a malware sample from a stub executable. We believe this was a leftover from the method used to generate previous versions of RedLine Stealer. The latest version of the Redline backend does not contain the code anymore.
Another handler, named OnSignFile, allows affiliates with lifetime licenses to sign arbitrary files with a certificate located on the backend server. We were unable to collect this certificate, but have reason to believe that it may be the same certificate used to sign RedLine panels, since it has also been used to sign a large number of RedLine Stealer and other malware samples. Another likely candidate is the certificate with the thumbprint 28F9A8E7601F5338BF6E194151A718608C0124A8, issued to Hangil IT Co., Ltd. This, likely stolen, certificate has been used to sign many RedLine Stealer samples and other malicious files. It has already been revoked.
RedLine.MainServer
The RedLine.MainServer module combines some of the functionality of the two previous modules with a GUI that allows the admin to easily manage affiliate accounts and advertisement data. Despite this added functionality, multiple factors indicate that this version of MainServer is probably an ancestor of LoadBalancer and DbController rather than a successor:
- MainServer samples are compiled with an older version of the .NET framework (4.6.2 vs 4.8).
- The assembly’s copyright year is 2020 instead of 2021.
- Some MainServer samples do not contain functionality for advertisements.
- The main WCF service’s contract (MainPanelService) does not include the IsAlive handler that is present in the same class as LoadBalancer. This handler is used by all the most recent RedLine panels we have analyzed.
Note that in later versions of the RedLine backend, the GUI administration panel has been split off into its own module also named MainServer.
The examined version of the GUI gave us interesting insight into RedLine management. It provides a form to create and edit affiliate account data, as shown in Figure 14. The fields correspond to the ClientData class described previously.
A similar form, in Figure 15, exists to manage advertisements.
Finally, the rudimentary dashboard in Figure 16 gives the operator an overview of license sales.
Nodes.Api
Analysis of samples shared by Dutch law enforcement shows that in the latest RedLine versions, the functionalities of the LoadBalancer and DbController modules have been combined into a new one named Nodes.Api. This backend module is packaged as a single-file .NET application and uses the WebApplication class from ASP.NET to provide the REST API used by the panels. As seen in Figure 17, the module handles requests sent to both RedLine (fivto[.]online) and META (spasshik[.]xyz) servers, showing that the two infostealers share the same operators.
Table 2 lists the endpoints exposed by the REST API along with the corresponding WCF handler from previous versions.
Table 2. RedLine endpoints
Endpoint | Corresponding WCF Handler | Description |
/api/test | N/A | Probably used to test connectivity. This simply returns the value OK. |
/secure-api/sign-in | OnSignInInternal | Handles logins from the panel. |
/secure-api/getBanners | OnGetPartners | Returns the ads to be displayed in the panel. |
/secure-api/createFile | OnCreateLastBuild | Creates an instance of the stealer malware. |
/secure-api/checkConnect | OnCheckConnect | Pings the specified address and port to check whether it is externally reachable. |
/secure-api/updateDb | N/A | Makes the backend reload affiliate data. This is only done if the request comes from a loopback address. |
/edk92hd/createRandom | N/A | Creates a new affiliate entry with a random username and password. |
/edk92hd/renew | N/A | Extends the license validity period of the specified affiliate. |
/Panel.zip | N/A | Returns the Panel.zip file from disk. This password-protected archive contains the latest version of the panel. |
Unlike the 2023 versions of the backend we originally analyzed, lifetime licenses no longer appear in the code of the new module. Since licenses of this type were still being sold, we believe they were likely handled by simply setting their expiration to a date far in the future. Functionality related to code signing has also been completely removed.
Samples created by the Nodes.Api module are obfuscated using .NET Reactor if it is present at the hardcoded path C:Program Files (x86)Eziriz.NET ReactordotNET_Reactor.exe. This corresponds to its default installation path.
Beyond the aforementioned changes, features that were present in older versions behave much as they did before. However, a couple of interesting functionalities have been added.
Affiliate management
Three endpoints used to manage affiliate data are exposed. These appear to be meant for use only by the operator, but this is handled in two very different ways. The /secure-api/updateDb endpoint causes the server to reload user data from disk. Figure 18 shows the update method invoked by the MainServer module whenever a new entry is created or modified. The operation is only performed by the Nodes.Api module if the request comes from a loopback address, which prevents Panel users from using it.
The other two endpoints, /edk92hd/createRandom and /edk92hd/renew, use a different method of mitigating unauthorized access. As seen in Figure 19, they can only be invoked if the request contains an sko3s header set to a seemingly random hardcoded value.
Backups
The other interesting feature is the ability to back up affiliate data, functionality that was missing in the older versions of the code. Since this data is stored in a series of files on disk, the backup is a ZIP archive of the directory that contains the files. This archive is then sent via Telegram using a hardcoded Chat ID shown in Figure 20.
Links with META Stealer
META Stealer is the other infostealer disrupted alongside RedLine Stealer. According to an article by Kela, META Stealer was first announced on cybercrime forums in March 2022. The author claimed that it used the same code as RedLine Stealer and provided the same functionality and panel. META Stealer hasn’t been investigated as thoroughly as RedLine Stealer, but our research indicates that the claims it initially made are accurate. Based on the source code, the two infostealers are most probably made by the same person. While there are some differences, most of the code is the same with instances of the string RedLine replaced by Meta. As can be seen in Figure 21, the code that is commented out to be inactive in RedLine is present in META.
As we already mentioned, another piece of evidence pointing towards RedLine and META having the same operators is seen in the code of the Nodes.Api module, which handles requests sent to both RedLine and META servers, as shown in Figure 17.
We also found two samples of the META panel signed with a certificate that was also used to sign samples of the RedLine panel. This panel used the same dead-drop resolver schemes, going as far as using the same AES and RSA keys, only with a different GitHub repository. Additionally, as Figure 22 shows, a comparison of the panels used by META and RedLine reveals only minor cosmetic differences.
META Stealer uses the same combination of DNGuard and BoxedApp to protect its panel from analysis. However, META’s authentication process could not be completed when run against our instance of the RedLine backend from 2023, so it seems to have been modified from that of RedLine.
Network infrastructure
By parsing samples of RedLine that we detected between November 30th, 2022 and March 23rd, 2023, we were able to identify over 1,000 unique IP addresses used to host RedLine panels. Figure 23 shows the geographical distribution of these hosted panels. Russia, Germany, and the Netherlands each account for about 20% of the total, while Finland and the United States each represent around 10%. Even though this data only comes from samples targeting our customers, we believe it paints a fairly accurate picture with regards to the overall distribution of the malware.
We were also able to identify multiple distinct backend servers. It’s likely that there were more in the dead-drop resolvers that we couldn’t decrypt. Based on their geographical distribution, shown in Figure 24, the servers are mainly located in Russia (about a third of them) while the UK, the Netherlands, and the Czech Republic each represent around 15% of the servers we identified.
Dead-drop resolvers
As we already mentioned, the 2023 versions of the RedLine panel used GitHub repositories as dead-drop resolvers for its authentication servers. These repositories all contained a file with an encrypted list of server addresses. The file was encrypted using a custom module simply named RSA. In one version of this module, shown in Figure 25, the list was encrypted using AES-CBC with a hardcoded key and IV, and saved to a file named nodesUpdate.config.
More recent versions, which were in use at least until mid 2024, employ RSA encryption instead (see Figure 26), with the output written to a file named nodes.config. In this case, the key is read from a file rather than being hardcoded in the executable. However, the class used to perform RSA encryption is also present in the LoadBalancer module, with hardcoded default values for the public and private keys. Note the use of “nodes” again to refer to the backend servers.
We have observed GitHub repositories that contain at least one such encrypted file. Along with the keys shown above, we were able to extract an RSA private key from a sample of the panel. This allowed us to obtain lists of authentication servers, which we shared with law enforcement agencies.
Conclusion
Before Operation Magnus, RedLine was among the most widespread of infostealer malware with a very large number of affiliates using its control panel. However, the malware-as-a-service enterprise seems to be orchestrated by only a handful of people, some of whom have been identified by law enforcement.
META Stealer, RedLine Stealer’s clone and most probably created by the same threat actors, made its entry into the field in 2022. It does not appear to be a successor to RedLine, since the development of both families has continued in parallel. It was taken down alongside RedLine Stealer.
Our in-depth analysis of the behind-the-scenes parts of RedLine – its control panel and backend – hopefully provides a more holistic understanding of this threat.
For any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the ESET Threat Intelligence page.
IoCs
A comprehensive list of indicators of compromise (IoCs) and samples can be found in our GitHub repository.
Files
SHA-1 | Filename | Detection | Description |
1AD92153B56FC0B39F8FCEC949241EC42C22FA54 | Nodes.Api.exe | N/A | RedLine backend single-file application. |
8A0CAFE86C0774F1D9C7F198505AE15D04447DD6 | MainServer.exe | N/A | RedLine backend user and advertisement management module (2024 version). |
607DBA5F630A1DBFF0E13EEBA2730AB9AB2FB253 | Nodes.Api.dll | N/A | RedLine backend main module. |
FB3ABAC1FAC852AE6D22B7C4843A04CE75B65663 | Panel.exe | MSIL/Spy.RedLine.O | META stealer panel (2024 version). |
EE153B3F9B190B1492DEFBB1C70830A28F7C41B2 | RedLine.MainPanel.exe | MSIL/Spy.RedLine.H | RedLine stealer panel (2024 version). |
1AB006B1C5403BA4648059DF93B6DAEB0E3EC43F | Panel.exe | MSIL/Spy.RedLine.O | RedLine stealer panel (2024 version). |
DC3A236245AE8C4D5D079E429ED6B77A5B5245C2 | RedLine.MainServer.exe | N/A | RedLine backend licensing server GUI. |
06A2A900561C122F45088A5EAE9146F7675C63F6 | rsa.exe | N/A | Tool to encrypt the list of C&C servers. |
1626F2666782710FC28D4AFE607C7BE54F1FC67F | RedLine.Nodes.LoadBalancer.exe | N/A | RedLine backend server module. |
37D1221CE6BB82E7AD08FD22BD13592815A23468 | RedLine.SharedModels.dll | MSIL/Spy.RedLine.K | RedLine WCF models and contracts definitions. |
66C0E7E74C593196E0925A7B654E09258E3B1FB7 | Panel.exe | Win32/GenCBL.ATC | RedLine panel (v22.4). |
2E5D9F2ED82C81609F4C49EA31642B1FB5FC11B5 | RedLine.MainPanel.exe | MSIL/Spy.RedLine.H | RedLine panel (non-virtualized). |
47B78A5698A289C73175C5C69786DE40C7C93C12 | RedLine.SharedModels.dll | MSIL/Spy.RedLine.J | RedLine models and contracts definitions. |
49BE1D7C87AC919BB9083FA87F7B907E5F2C9835 | Panel.exe | MSIL/Spy.RedLine.H | META Stealer Panel. |
4BF4D42EED7FCA8FD52863B7020AC646EC6D97E9 | RedLine.Nodes.DbController.exe | N/A | RedLine backend server user and advertisement management module. |
27BD472729439D5B8814D4A8A464AF9832198894 | Panel.exe | MSIL/Spy.RedLine.H | RedLine panel (v26). |
A154DFAEDC237C047F419EB6884DAB1EF4E2A17D | Panel.exe | MSIL/Spy.RedLine.H | RedLine Panel (leaked cracked version). |
Network
Note that the domains in the table below have been seized by law enforcement. The other panel and server addresses that we collected were shared with law enforcement agencies on a regular basis to help in their actions and are no longer active.
IP | Domain | Hosting provider | First seen | Details |
N/A | spasshik[.]xyz | N/A | 2024-06-02 | META backend REST server. |
N/A | fivto[.]online | N/A | 2024-08-03 | RedLine backend REST server. |
MITRE ATT&CK techniques
This table was built using version 15 of the MITRE ATT&CK framework.
Tactic | ID | Name | Description |
Resource Development | T1583.003 | Acquire Infrastructure: Virtual Private Server | Instances of the RedLine back end are hosted on leased virtual private servers. |
T1583.004 | Acquire Infrastructure: Server | Instances of the RedLine back end are hosted on servers that appear to be exclusive to RedLine. | |
T1587.001 | Acquire Infrastructure: Web Services | Operators of RedLine have created multiple GitHub accounts and repositories. | |
T1587.002 | Develop Capabilities: Malware | Operators of RedLine have developed their own malware families, control panels, and back-end servers. | |
T1588.003 | Develop Capabilities: Code Signing Certificates | The RedLine back end automatically generates self-signed certificates when creating samples. | |
T1608.002 | Obtain Capabilities: Code Signing Certificates | RedLine panels are signed with valid certificates issued to AMCERT,LLC. | |
T1608.001 | Stage Capabilities: Upload Malware | Back-end components of RedLine are uploaded to private servers. | |
Defense Evasion | T1622 | Debugger Evasion | The RedLine panel automatically terminates itself if it detects a debugger or analysis tools. |
T1027.002 | Obfuscated Files or Information: Software Packing | Samples of the RedLine panel are packed using DNGuard and BoxedApp. | |
Command and Control | T1132.001 | Data Encoding: Standard Encoding | RedLine makes extensive use of base64 encoding in its network communications. Network communication uses the standard binary encoder of the WCF framework. |
T1573.001 | Encrypted Channel: Symmetric Cryptography | Communications between the panel and back-end server use AES encryption. In some cases, dead-drop resolver content is encrypted with AES-CBC. |
|
T1573.002 | Encrypted Channel: Asymmetric Cryptography | Communications between the panel and back-end server use RSA encryption. In some cases, dead-drop resolver content is encrypted with RSA. |
|
T1071.001 | Application Layer Protocol: Web Protocols | Network communication in recent versions is done via a REST API over HTTPS. | |
T1095 | Non-Application Layer Protocol | Network communication is done with the WCF Framework over TCP. | |
T1102.001 | Web Service: Dead Drop Resolver | The RedLine panel uses GitHub repositories as dead-drop resolvers to obtain the address of back-end servers. | |
T1571 | Non-Standard Port | By default, the RedLine panel’s Guest Links functionality runs an HTTP server on port 7766. |