RedLine Stealer Malware

RedLine Stealer - What is RedLine Malware?
RedLine Stealer, RedLine malware, Stealer malware
Written by Brendan Smith

The malicious program known as RedLine Stealer aims to grab various personal information from the infected system. It can spread as stand-alone malware or in conjunction with other malicious apps. This malware represents an example of a banking stealer, but it can also delve into different browsers to extract various other categories of information.

What is RedLine Stealer Malware?

RedLine Stealer, available for purchase on underground forums, exists in two forms: a standalone version priced at $100 or $150 (depending on the version) and a subscription-based service costing $100 per month.

Its primary purpose is to gather sensitive information from web browsers, encompassing saved credentials, autocomplete data, and credit card details.

Moreover, when operating on a targeted machine, RedLine Stealer acquires system inventory information such as the username, location data, hardware configuration, and details concerning installed security software.

Recent iterations of RedLine Stealer have incorporated the capability to pilfer cryptocurrency. This malware category also sets its sights on FTP and IM clients, enabling it to upload and download files, execute commands, and periodically transmit information regarding the infected computer.

Stealers strive to remain as stealthy as possible since their efficiency heavily relies on staying undetected within the system for as long as possible. While some samples perform their basic operations and then self-destruct, others continue running until they are detected or receive a self-destruction command from the command and control (C&C) server.

Functionality of RedLine Stealer

RedLine Stealer functions primarily as a banking stealer, targeting banking credentials stored in web browsers. To achieve this objective, RedLine has the capability to thoroughly extract information from any browser, including Chromium, Gecko-based, and others. In addition to banking data, it also captures cookies and passwords stored in the browser. However, not many popular browsers store passwords in plain text format, so the focus is more on attacking users of alternative applications.

RedLine Stealer admin panel

Administrative panel of RedLine Stealer

However, web browsers are not the only source of information for that stealer. Along with them, RedLine malware scans the device for various apps, such as Telegram, Discord, and Steam. It also aims at grabbing the credentials for FTP/SCP and VPN connections. Its code, recovered by reverse engineering, also shows its ability to scan for crypto wallets and then steal their information.

At the end of a procedure, RedLine collects detailed information about the system – OS version, installed hardware, the list of software, IP address, and so forth. Then, the entire pack of collected information is stored in the ScanResult folder. The latter is created in the same directory with the stealer executive file.

RedLine Stealer Tech Analysis

After reaching the target machine, RedLine malware launches a single process – Trick.exe, and a single instance of a console window. Soon after, it establishes a connection with the command and control server at the address of newlife957[.]duckdns[.]org[:]7225. It is worth noting that the initial code contains pretty legit functions – likely taken from a real program. Malicious content is getting downloaded dynamically through the functionality in the initial code. Such a trick is used to win some time for disabling the anti-malware solutions inside the system after the initial access.

TicTacToe RedLine Stealer

TicTacToe references in the RedLine code

When the malicious payload is installed, the first thing malware does is check the IP address of the PC. It uses the api[.]ip[.]sb site for that purpose. If there are no conflicts with its internal blacklists – countries and IP addresses that are not allowed to launch in – malware proceeds to further operations. RedLine starts scanning the environment step by step, following the list it receives after configuring.

Scanning sequence Redline stealer

Sequence of scanning for elements to steal on the infected PC

Then, it forms a log file that contains the information extracted from the attacked system. It is not possible to see all the details, as malware features data encryption at the stage of data extraction. However, the data types are clearly visible, hence you can expect what this malware shares with the rascals.

Data types collected by RedLine Stealer

Function nameDescription
ScannedBrowserBrowser name, user profile, login credentials and cookies
FtpConnectionsDetails about FTP connections present on the target machine
GameChatFilesFiles of in-game chats related to any games found
GameLauncherFilesThe list of installed game launchers
InstalledBrowsersList of installed browsers
MessageClientFilesFiles of messaging clients located on the target machine
CityDetected city
CountryDetected country
File LocationThe path where malware .exe file is executed
HardwareInformation about the installed hardware
IPv4Public IPv4 IP address of the victim PC
LanguageOS language
ScannedFilesPossibly valuable files found in the system
ScreenSizeScreen resolution of the target system
Function nameDescription
ScannedWalletsInformation about the wallets found in the system
SecurityUtilsList and status of all detected antivirus programs
AvailableLanguagesLanguages, supported by the OS version on target PC
MachineNameName of the target machine
MonitorThe screenshot of the screen at the moment of execution
OSVersionInformation about operating system version
NordCredentials for NordVPN
OpenCredentials for OpenVPN
ProcessesList of processes running in the system
SeenBeforeCheckup if the report is about a new victim or the one that was attacked earlier
TimeZoneTime zone of the attacked computer
ZipCodeVictim’s Zip-code
SoftwaresList of the programs installed on the attacked PC
SystemHardwaresDetails about PC configuration

Different researches show that RedLine is not completely consistent with the browsers it attacks. The biggest effectiveness is observed in Chrome, Opera, Chromium and Chromodo browsers. Among the apps based on other engines than Chromium there is a Chinese WebKit-based 360Browser. Web browsers on Gecko engine – Firefox, Waterfox and so forth – are also vulnerable, but the stealer sometimes has problems while extracting data from them.

RedLine malware orients at long-term staying in the system. A lot of stealers have a self-removal functionality once there is no data left to thief. Meanwhile, this stealer offers a spyware-style mechanism: an operator can order it to destroy itself, but there are no timers inside.

RedLine Stealer IoC

newlife957[.]duckdns[.]org[:]7225URLC2 URL
1741984cc5f9a62d34d180943658637523ac102db4a544bb6812be1e0507a348HashSHA-256 hash – disguise (undetected)
ee4608483ebb8615dfe71924c5a6bc4b0f1a5d0eb8b453923b3f2ce5cd00784bHashSHA-256 hash of malware part
9dc934f7f22e493a1c1d97107edc85ccce4e1be155b2cc038be8d9a57b2e430fHashSHA-256 hash of malware part
76ca4a8afe19ab46e2f7f364fb76a166ce62efc7cf191f0f1be5ffff7f443f1bHashSHA-256 hash of malware part
258445b5c086f67d1157c2998968bad83a64ca3bab88bfd9d73654819bb46463HashSHA-256 hash of system info grabber

Widespread RedLine variants detected in the wild

  • Trojan:Win32/RedLine.BS!MTB
  • Trojan:Win32/Redline.WON!MTB
  • Trojan:Win32/Redline.UR!MTB
  • Trojan:Win32/Redline.KB!MTB
  • Trojan:Win32/Redline.SHL!MTB
  • Trojan:MSIL/Redline.RA!MTB
  • Trojan:Win32/Redline.DD!MTB
  • Trojan:Win32/Redline.NC!MTB
  • Trojan:Win32/RedLine.MB!MTB
  • Trojan:Win32/RedLineStealer.PS!MTB
  • Trojan:Win32/Redline.MKWW!MTB
  • Trojan:Win32/Redline.MKU!MTB
  • Trojan:Win32/Redline.MKW!MTB
  • Trojan:Win32/Redline.MKKM!MTB
  • RedLine Stealer Distribution

    As I’ve mentioned before, RedLine Stealer may come as a solitary malware, as well as in a bundle with other viruses. Its activity rapidly grew over the last time, as it is convenient for crooks and can easily be purchased even in the surface web. For example, its developers have a group in Telegram messenger, where this malware is offered under different subscription types. As the stealer has outstanding functionality, these offers are never getting stale.

    RedLine Stealer bot telegram

    RedLine marketing bot in Telegram Messenger

    In a stand-alone form, RedLine Stealer is usually spread through email phishing. Alternatively, it may be disguised as installation files of some popular programs, like Discord, Telegram, Steam, and cracked apps. In one specific case, RedLine appeared as a browser extension, and its download link was embedded into a YouTube video description. However, phishing email messages remain the most potent and popular forms of malware distribution – and RedLine Stealer is not an exclusion.

    The example of a typical fraudulent email

    The example of a typical phishing email

    When it comes to spreading together with other malware, RedLine is often mated with different ransomware samples. However, the biggest share of in-bundle spreading is after the RedLine compound with Djvu ransomware. Actually, this ransomware features not only this stealer but also 2 other malware – SmokeLoader backdoor and Vidar stealer. Such a package can take away every piece of valuable data and flood the computer with other malware. And don’t forget about ransomware – this thing will already create a mess of your files.

    What is Djvu ransomware?

    STOP/Djvu ransomware is a notable example of a long-living cybercriminal group, that terrorizes mostly individuals. They quickly gained a dominant position on the ransomware market, reaching over 75% share in total ransomware submissions at a certain point of time. These days, it lost such a big tempo but remains as dangerous as ever. The additional malware it brings to the user device is likely needed to compensate for the shed in the number of new victims. Earlier, they were deploying Azorult stealer but then switched to the malware we mentioned earlier.

    How to stay protected?

    Knowing the ways of spreading gives you great instruction on preventing it. Methods of email spam counteraction are well-known and have a large variety of possible approaches. Same does malware spreading with a disguise of a legitimate application. Methods that feature unique and occasional ways are the hardest to avoid, but it is still possible.

    Spam emails can easily be distinguished from genuine messages. Almost every fishy message tries to mimic the real company or a sender familiar to you. However, it cannot counterfeit the sender’s address, as well as predict if you are waiting for that letter. Actually, they can acknowledge what emails you may receive through preliminary phishing, but that situation is pretty rare. Hence, seeing a strange letter you shouldn’t receive with an unusual address of its sender means someone tries to fool you. If the information looks convincing to you, it is better to go check things manually.

    Email spam example

    The typical example of a bait email. The attached file contains malware

    Fake app installers do not require that much of your attention but need you to follow the rules. For instance, those counterfeits are often spread in online communities, such as Discord or Reddit. Using them is risky, especially once you can get the same installer from the official site for free. When it comes to cracked programs, that’s one thing you should remember – nothing is free under the sun. Even if the crack looks legit, and you are sure about the sender, it is better to check that file with anti-malware software. There’s a big temptation to monetise the app cracking through adding malware – hackers break the law anyway. Another solution is to use genuine copies of software – paid and downloaded from the vendor’s website.

    Discord virus

    The example of malware spreading through Discord

    Tricky ways are almost impossible to predict and detect proactively. However, the files and extensions will not launch themselves automatically. Once you see a situation you are not sure about, the best decision is to launch a full scan with a powerful security solution. If equipped with a modern scanning system, it will definitely spot unusual activities that are not visible to the human eye.

    User Review
    0 (0 votes)
    Comments Rating 0 (0 reviews)

    German Japanese Spanish Portuguese (Brazil) French Turkish Chinese (Traditional) Korean Indonesian Hindi Italian

    About the author

    Brendan Smith

    I'm Brendan Smith, a passionate journalist, researcher, and web content developer. With a keen interest in computer technology and security, I specialize in delivering high-quality content that educates and empowers readers in navigating the digital landscape.

    With a focus on computer technology and security, I am committed to sharing my knowledge and insights to help individuals and organizations protect themselves in the digital age. My expertise in cybersecurity principles, data privacy, and best practices allows me to provide practical tips and advice that readers can implement to enhance their online security.

    Leave a Reply