Threat Research

Redline Stealer and Mozilla Thunderbird

Securonix

Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.

We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.

Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.

In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.

Here’s the latest from our TRU Team…

What did we find?

  • Redline Stealer, a prolific information stealer currently sold on various cybercriminal forums and Telegram channels, was identified in a manufacturing customer’s environment.
  • GoThe victim was lured to a malicious Mozilla Thunderbird setup file while performing a web search. The malicious setup file was distributed through an advertisement and hosted on a lookalike page on thunderbiird[.]com.
    • TRU has previously seen Redline and other malware distributed this way.
  • The site delivered an ISO disc image file containing thunderbirdsetup.exe (Figure 1) (96EC3C5ADF2B6FFCC148C79E98A8EEC0).
    • Figure 1: Malicious Mozilla Thunderbird setup

  • When mounted and executed by the victim, the setup file launches the installer for the legitimate Mozilla Thunderbird installer (Figure 2) and in parallel, it disables Defender, drops the renamed AutoIT to disk (the renamed AutoIT has the format .exe.pif), and executes a highly obfuscated AutoIT script containing an embedded payload (Figures 3-4).
  • The Redline payload is RC4 encrypted with the key 853414546488828924090328091950203913033769656248 and injected into the legitimate Windows file jsc.exe (JScript Compiler).
    • Figure 2: Malicious Mozilla Thunderbird Setup launches a legitimate installer to get the user to believe that they have downloaded a legitimate installer<.em>

    Figure 3: Batch script to patch and run AutoIT

    Figure 4: Legitimate Mozilla Thunderbird running in parallel with Redline

  • A scheduled task named “Vedesti” is created to repeat this process to persist on the device.

How did we find it?

  • MDR for Endpoint identified the AutoIT execution technique and the malware payload was blocked.

What did we do?

What can you learn from this TRU positive?

  • Redline is a Malware-as-a-Service malware that is rented by users for a specific period (monthly/lifetime).
    • Users get access to a configuration panel where payloads are built, and data and bots are controlled and instructions on how to use Redline are provided through the panel.
    • In this instance Redline was configured to connect to 176.124.216[.]38 using ID “Google New 1”, likely a campaign identifier and reference to the distribution method used (Figure 5).
    • Figure 5: Redline Configuration

  • This attack contained several layers aimed at evading perimeter filtering and static detection:
    • The executable was inflated to over 300MB and delivered in an ISO file.
    • A non-standard scripting language (AutoIT) and the binary necessary to execute it (AutoIT.exe) were both introduced to the system. The binary was modified to prevent execution except by the malware. The script was heavily obfuscated and contained the Redline payload in encrypted form. This payload is never directly written to disk.
  • Redline contains various stealing capabilities for credentials and financial data, including crypto wallets. It is an extremely common source of stolen data on various fraud markets. The stolen data or the implant itself could be leveraged for further infiltration into the network.

Recommendations from our Threat Response Unit (TRU) Team:

Protecting against information stealers requires a multi-layered defense approach to defend endpoints from malware and detect or block unauthorized login activity against applications and remote access services. Therefore, we recommend:

  • Protecting all endpoints against malware.
    • Ensure antivirus signatures are up to date.
    • Use a Next-Gen AV (NGAV) or Endpoint Detection and Response (EDR) product to detect and contain threats.
    • If an information stealing malware is identified, reset the user credentials and terminate logon sessions immediately.
  • Encouraging good cybersecurity hygiene among your users by using Phishing and Security Awareness Training (PSAT) when downloading software from the Internet.
  • Restricting access to enterprise applications from personal devices outside the scope of security monitoring.
  • Ensuring adequate logging is in place for remote access services such as VPNs and using modern authentication methods, which support MFA and conditional access.

Ask Yourself…

  • Can the user identify if the source is trusted to download the files from?
  • Is endpoint monitoring in place to identify malicious activities performed by Redline?
  • Are your users aware of the risks of visiting a malicious website hosting malicious software while browsing?

eSentire’s Threat Response Unit (TRU) is a world-class team
of threat researchers who develop new detections enriched by original threat
intelligence and leverage new machine learning models that correlate
multi-signal data and automate rapid response to advanced threats.

If you are not currently engaged with an MDR provider,
eSentire MDR can help you reclaim the advantage and put your business ahead of
disruption.

Learn what it means to have an elite team of Threat Hunters
and Researchers that works for you. Connect with an eSentire
Security Specialist.

Source: https://www.esentire.com/blog/redline-stealer-and-mozilla-thunderbird

Tags: CRYPTO, EDR, PATCH, MDR, LEARN, FINANCIAL, BREACH, WINDOWS