RedLine Stealer – What is RedLine Malware?

RedLine Stealer - What is RedLine Malware?
RedLine Stealer, RedLine malware, Stealer malware
Written by Brendan Smith

RedLine Stealer is a malicious program that aims at grabbing various personal information from the infected system. It may be spread as stand-alone malware, as well as together with some other malicious apps. This malware is an example of a banking stealer. However, it also can dig into different browsers to take various other categories of information.

What is stealer malware?

Stealer is a malware type that targets grabbing some specific data types from the infected machine. This class of malware is sometimes confused with spyware, however, the latter takes everything it can take from the system. Meanwhile, some stealers can search even for specific files or files of a certain format – for example, AutoCAD blueprints or Maya projects. That makes them more effective, however, they require more skills and control to succeed.

Stealers are trying to be as stealthy as possible since their efficiency heavily depends upon the time they remain in the system without detection. Sure, certain samples perform their basic operations and then self-destruct. But there are also the ones that keep running unless they’re detected or there is a self-destruction command from the C&C server.

RedLine Stealer functionality

RedLine stealer generally acts like a banking stealer, as its primary target is banking credentials saved in web browsers. To fulfill this need, RedLine has the ability to dig deep in any browser – both Chromium, Gecko-based, and others. But besides the banking data, it also grabs cookies and passwords kept in the browser. Still, not many popular browsers keep the latter in plain text form, so it is more about attacking the users of alternative apps.

RedLine Stealer admin panel

Administrative panel of RedLine Stealer

However, web browsers are not the only source of information for that stealer. Along with them, RedLine malware scans the device for various apps, such as Telegram, Discord, and Steam. It also aims at grabbing the credentials for FTP/SCP and VPN connections. Its code, recovered by reverse engineering, also shows its ability to scan for crypto wallets and then steal their information.

At the end of a procedure, RedLine collects detailed information about the system – OS version, installed hardware, the list of software, IP address, and so forth. Then, the entire pack of collected information is stored in the ScanResult folder. The latter is created in the same directory with the stealer executive file.

RedLine Tech Analysis

After reaching the target machine, RedLine malware launches a single process – Trick.exe, and a single instance of a console window. Soon after, it establishes a connection with the command and control server at the address of newlife957[.]duckdns[.]org[:]7225. It is worth noting that the initial code contains pretty legit functions – likely taken from a real program. Malicious content is getting downloaded dynamically through the functionality in the initial code. Such a trick is used to win some time for disabling the anti-malware solutions inside the system after the initial access.

TicTacToe RedLine

TicTacToe references in the RedLine code

When the malicious payload is installed, the first thing malware does is check the IP address of the PC. It uses the api[.]ip[.]sb site for that purpose. If there are no conflicts with its internal blacklists – countries and IP addresses that are not allowed to launch in – malware proceeds to further operations. RedLine starts scanning the environment step by step, following the list it receives after configuring.

Scanning sequence Redline stealer

Sequence of scanning for elements to steal on the infected PC

Then, it forms a log file that contains the information extracted from the attacked system. It is not possible to see all the details, as malware features data encryption at the stage of data extraction. However, the data types are clearly visible, hence you can expect what this malware shares with the rascals.

Data types collected by RedLine Stealer

Function nameDescription
ScannedBrowserBrowser name, user profile, login credentials and cookies
FtpConnectionsDetails about FTP connections present on the target machine
GameChatFilesFiles of in-game chats related to any games found
GameLauncherFilesThe list of installed game launchers
InstalledBrowsersList of installed browsers
MessageClientFilesFiles of messaging clients located on the target machine
CityDetected city
CountryDetected country
File LocationThe path where malware .exe file is executed
HardwareInformation about the installed hardware
IPv4Public IPv4 IP address of the victim PC
LanguageOS language
ScannedFilesPossibly valuable files found in the system
ScreenSizeScreen resolution of the target system
Function nameDescription
ScannedWalletsInformation about the wallets found in the system
SecurityUtilsList and status of all detected antivirus programs
AvailableLanguagesLanguages, supported by the OS version on target PC
MachineNameName of the target machine
MonitorThe screenshot of the screen at the moment of execution
OSVersionInformation about operating system version
NordCredentials for NordVPN
OpenCredentials for OpenVPN
ProcessesList of processes running in the system
SeenBeforeCheckup if the report is about a new victim or the one that was attacked earlier
TimeZoneTime zone of the attacked computer
ZipCodeVictim’s Zip-code
SoftwaresList of the programs installed on the attacked PC
SystemHardwaresDetails about PC configuration

Different researches show that RedLine is not completely consistent with the browsers it attacks. The biggest effectiveness is observed in Chrome, Opera, Chromium and Chromodo browsers. Among the apps based on other engines than Chromium there is a Chinese WebKit-based 360Browser. Web browsers on Gecko engine – Firefox, Waterfox and so forth – are also vulnerable, but the stealer sometimes has problems while extracting data from them.

RedLine malware orients at long-term staying in the system. A lot of stealers have a self-removal functionality once there is no data left to thief. Meanwhile, this stealer offers a spyware-style mechanism: an operator can order it to destroy itself, but there are no timers inside.

RedLine Stealer IoC

newlife957[.]duckdns[.]org[:]7225URLC2 URL
1741984cc5f9a62d34d180943658637523ac102db4a544bb6812be1e0507a348HashSHA-256 hash – disguise (undetected)
ee4608483ebb8615dfe71924c5a6bc4b0f1a5d0eb8b453923b3f2ce5cd00784bHashSHA-256 hash of malware part
9dc934f7f22e493a1c1d97107edc85ccce4e1be155b2cc038be8d9a57b2e430fHashSHA-256 hash of malware part
76ca4a8afe19ab46e2f7f364fb76a166ce62efc7cf191f0f1be5ffff7f443f1bHashSHA-256 hash of malware part
258445b5c086f67d1157c2998968bad83a64ca3bab88bfd9d73654819bb46463HashSHA-256 hash of system info grabber

RedLine Stealer Distribution

As I’ve mentioned before, RedLine Stealer may come as a solitary malware, as well as in a bundle with other viruses. Its activity rapidly grew over the last time, as it is convenient for crooks and can easily be purchased even in the surface web. For example, its developers have a group in Telegram messenger, where this malware is offered under different subscription types. As the stealer has outstanding functionality, these offers are never getting stale.

Redline bot telegram

RedLine marketing bot in Telegram Messenger

In a stand-alone form, RedLine Stealer is usually spread through email phishing. Alternatively, it may be disguised as installation files of some popular programs, like Discord, Telegram, Steam, and cracked apps. In one specific case, RedLine appeared as a browser extension, and its download link was embedded into a YouTube video description. However, phishing email messages remain the most potent and popular forms of malware distribution – and RedLine Stealer is not an exclusion.

The example of a typical fraudulent email

The example of a typical phishing email

When it comes to spreading together with other malware, RedLine is often mated with different ransomware samples. However, the biggest share of in-bundle spreading is after the RedLine compound with Djvu ransomware. Actually, this ransomware features not only this stealer but also 2 other malware – SmokeLoader backdoor and Vidar stealer. Such a package can take away every piece of valuable data and flood the computer with other malware. And don’t forget about ransomware – this thing will already create a mess of your files.

What is Djvu ransomware?

STOP/Djvu ransomware is a notable example of a long-living cybercriminal group, that terrorizes mostly individuals. They quickly gained a dominant position on the ransomware market, reaching over 75% share in total ransomware submissions at a certain point of time. These days, it lost such a big tempo but remains as dangerous as ever. The additional malware it brings to the user device is likely needed to compensate for the shed in the number of new victims. Earlier, they were deploying Azorult stealer but then switched to the malware we mentioned earlier.

How to stay protected?

Knowing the ways of spreading gives you great instruction on preventing it. Methods of email spam counteraction are well-known and have a large variety of possible approaches. Same does malware spreading with a disguise of a legitimate application. Methods that feature unique and occasional ways are the hardest to avoid, but it is still possible.

Spam emails can easily be distinguished from genuine messages. Almost every fishy message tries to mimic the real company or a sender familiar to you. However, it cannot counterfeit the sender’s address, as well as predict if you are waiting for that letter. Actually, they can acknowledge what emails you may receive through preliminary phishing, but that situation is pretty rare. Hence, seeing a strange letter you shouldn’t receive with an unusual address of its sender means someone tries to fool you. If the information looks convincing to you, it is better to go check things manually.

Email spam example

The typical example of a bait email. The attached file contains malware

Fake app installers do not require that much of your attention but need you to follow the rules. For instance, those counterfeits are often spread in online communities, such as Discord or Reddit. Using them is risky, especially once you can get the same installer from the official site for free. When it comes to cracked programs, that’s one thing you should remember – nothing is free under the sun. Even if the crack looks legit, and you are sure about the sender, it is better to check that file with anti-malware software. There’s a big temptation to monetise the app cracking through adding malware – hackers break the law anyway. Another solution is to use genuine copies of software – paid and downloaded from the vendor’s website.

Discord virus

The example of malware spreading through Discord

Tricky ways are almost impossible to predict and detect proactively. However, the files and extensions will not launch themselves automatically. Once you see a situation you are not sure about, the best decision is to launch a full scan with a powerful security solution. If equipped with a modern scanning system, it will definitely spot unusual activities that are not visible to the human eye.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Brendan Smith

Journalist, researcher, web content developer, grant proposal editor. Efficient and proficient on multiple platforms and in diverse media. Computer technology and security are my specialties.

Leave a Reply


This site uses Akismet to reduce spam. Learn how your comment data is processed.