RedLine Stealer is a malicious program that aims at grabbing various personal information from the infected system. It may be spread as stand-alone malware, as well as together with some other malicious apps. This malware is an example of a banking stealer. However, it also can dig into different browsers to take various other categories of information.
What is stealer malware?
Stealer is a malware type that targets grabbing some specific data types from the infected machine. This class of malware is sometimes confused with spyware, however, the latter takes everything it can take from the system. Meanwhile, some stealers can search even for specific files or files of a certain format – for example, AutoCAD blueprints or Maya projects. That makes them more effective, however, they require more skills and control to succeed.
Stealers are trying to be as stealthy as possible since their efficiency heavily depends upon the time they remain in the system without detection. Sure, certain samples perform their basic operations and then self-destruct. But there are also the ones that keep running unless they’re detected or there is a self-destruction command from the C&C server.
RedLine Stealer functionality
RedLine stealer generally acts like a banking stealer, as its primary target is banking credentials saved in web browsers. To fulfill this need, RedLine has the ability to dig deep in any browser – both Chromium, Gecko-based, and others. But besides the banking data, it also grabs cookies and passwords kept in the browser. Still, not many popular browsers keep the latter in plain text form, so it is more about attacking the users of alternative apps.
However, web browsers are not the only source of information for that stealer. Along with them, RedLine malware scans the device for various apps, such as Telegram, Discord, and Steam. It also aims at grabbing the credentials for FTP/SCP and VPN connections. Its code, recovered by reverse engineering, also shows its ability to scan for crypto wallets and then steal their information.
At the end of a procedure, RedLine collects detailed information about the system – OS version, installed hardware, the list of software, IP address, and so forth. Then, the entire pack of collected information is stored in the ScanResult folder. The latter is created in the same directory with the stealer executive file.
RedLine Tech Analysis
After reaching the target machine, RedLine malware launches a single process – Trick.exe, and a single instance of a console window. Soon after, it establishes a connection with the command and control server at the address of newlife957[.]duckdns[.]org[:]7225. It is worth noting that the initial code contains pretty legit functions – likely taken from a real program. Malicious content is getting downloaded dynamically through the functionality in the initial code. Such a trick is used to win some time for disabling the anti-malware solutions inside the system after the initial access.
When the malicious payload is installed, the first thing malware does is check the IP address of the PC. It uses the api[.]ip[.]sb site for that purpose. If there are no conflicts with its internal blacklists – countries and IP addresses that are not allowed to launch in – malware proceeds to further operations. RedLine starts scanning the environment step by step, following the list it receives after configuring.
Then, it forms a log file that contains the information extracted from the attacked system. It is not possible to see all the details, as malware features data encryption at the stage of data extraction. However, the data types are clearly visible, hence you can expect what this malware shares with the rascals.
Data types collected by RedLine Stealer
|ScannedBrowser||Browser name, user profile, login credentials and cookies|
|FtpConnections||Details about FTP connections present on the target machine|
|GameChatFiles||Files of in-game chats related to any games found|
|GameLauncherFiles||The list of installed game launchers|
|InstalledBrowsers||List of installed browsers|
|MessageClientFiles||Files of messaging clients located on the target machine|
|File Location||The path where malware .exe file is executed|
|Hardware||Information about the installed hardware|
|IPv4||Public IPv4 IP address of the victim PC|
|ScannedFiles||Possibly valuable files found in the system|
|ScreenSize||Screen resolution of the target system|
|ScannedWallets||Information about the wallets found in the system|
|SecurityUtils||List and status of all detected antivirus programs|
|AvailableLanguages||Languages, supported by the OS version on target PC|
|MachineName||Name of the target machine|
|Monitor||The screenshot of the screen at the moment of execution|
|OSVersion||Information about operating system version|
|Nord||Credentials for NordVPN|
|Open||Credentials for OpenVPN|
|Processes||List of processes running in the system|
|SeenBefore||Checkup if the report is about a new victim or the one that was attacked earlier|
|TimeZone||Time zone of the attacked computer|
|Softwares||List of the programs installed on the attacked PC|
|SystemHardwares||Details about PC configuration|
Different researches show that RedLine is not completely consistent with the browsers it attacks. The biggest effectiveness is observed in Chrome, Opera, Chromium and Chromodo browsers. Among the apps based on other engines than Chromium there is a Chinese WebKit-based 360Browser. Web browsers on Gecko engine – Firefox, Waterfox and so forth – are also vulnerable, but the stealer sometimes has problems while extracting data from them.
RedLine malware orients at long-term staying in the system. A lot of stealers have a self-removal functionality once there is no data left to thief. Meanwhile, this stealer offers a spyware-style mechanism: an operator can order it to destroy itself, but there are no timers inside.
RedLine Stealer IoC
|1741984cc5f9a62d34d180943658637523ac102db4a544bb6812be1e0507a348||Hash||SHA-256 hash – disguise (undetected)|
|ee4608483ebb8615dfe71924c5a6bc4b0f1a5d0eb8b453923b3f2ce5cd00784b||Hash||SHA-256 hash of malware part|
|9dc934f7f22e493a1c1d97107edc85ccce4e1be155b2cc038be8d9a57b2e430f||Hash||SHA-256 hash of malware part|
|76ca4a8afe19ab46e2f7f364fb76a166ce62efc7cf191f0f1be5ffff7f443f1b||Hash||SHA-256 hash of malware part|
|258445b5c086f67d1157c2998968bad83a64ca3bab88bfd9d73654819bb46463||Hash||SHA-256 hash of system info grabber|
RedLine Stealer Distribution
As I’ve mentioned before, RedLine Stealer may come as a solitary malware, as well as in a bundle with other viruses. Its activity rapidly grew over the last time, as it is convenient for crooks and can easily be purchased even in the surface web. For example, its developers have a group in Telegram messenger, where this malware is offered under different subscription types. As the stealer has outstanding functionality, these offers are never getting stale.
In a stand-alone form, RedLine Stealer is usually spread through email phishing. Alternatively, it may be disguised as installation files of some popular programs, like Discord, Telegram, Steam, and cracked apps. In one specific case, RedLine appeared as a browser extension, and its download link was embedded into a YouTube video description. However, phishing email messages remain the most potent and popular forms of malware distribution – and RedLine Stealer is not an exclusion.
When it comes to spreading together with other malware, RedLine is often mated with different ransomware samples. However, the biggest share of in-bundle spreading is after the RedLine compound with Djvu ransomware. Actually, this ransomware features not only this stealer but also 2 other malware – SmokeLoader backdoor and Vidar stealer. Such a package can take away every piece of valuable data and flood the computer with other malware. And don’t forget about ransomware – this thing will already create a mess of your files.
What is Djvu ransomware?
STOP/Djvu ransomware is a notable example of a long-living cybercriminal group, that terrorizes mostly individuals. They quickly gained a dominant position on the ransomware market, reaching over 75% share in total ransomware submissions at a certain point of time. These days, it lost such a big tempo but remains as dangerous as ever. The additional malware it brings to the user device is likely needed to compensate for the shed in the number of new victims. Earlier, they were deploying Azorult stealer but then switched to the malware we mentioned earlier.
How to stay protected?
Knowing the ways of spreading gives you great instruction on preventing it. Methods of email spam counteraction are well-known and have a large variety of possible approaches. Same does malware spreading with a disguise of a legitimate application. Methods that feature unique and occasional ways are the hardest to avoid, but it is still possible.
Spam emails can easily be distinguished from genuine messages. Almost every fishy message tries to mimic the real company or a sender familiar to you. However, it cannot counterfeit the sender’s address, as well as predict if you are waiting for that letter. Actually, they can acknowledge what emails you may receive through preliminary phishing, but that situation is pretty rare. Hence, seeing a strange letter you shouldn’t receive with an unusual address of its sender means someone tries to fool you. If the information looks convincing to you, it is better to go check things manually.
Fake app installers do not require that much of your attention but need you to follow the rules. For instance, those counterfeits are often spread in online communities, such as Discord or Reddit. Using them is risky, especially once you can get the same installer from the official site for free. When it comes to cracked programs, that’s one thing you should remember – nothing is free under the sun. Even if the crack looks legit, and you are sure about the sender, it is better to check that file with anti-malware software. There’s a big temptation to monetise the app cracking through adding malware – hackers break the law anyway. Another solution is to use genuine copies of software – paid and downloaded from the vendor’s website.
Tricky ways are almost impossible to predict and detect proactively. However, the files and extensions will not launch themselves automatically. Once you see a situation you are not sure about, the best decision is to launch a full scan with a powerful security solution. If equipped with a modern scanning system, it will definitely spot unusual activities that are not visible to the human eye.
User Review( votes)