RedLine Stealer

RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware.

Type
Stealer
Origin
ex-USSR
First seen
1 March, 2020
Last seen
5 October, 2022
Also known as
RedLine
Global rank
4
Week rank
1
Month rank
1
IOCs
44432
Last Seen at

What is RedLine Stealer?

RedLine Stealer or RedLine is malware that can collect users’ confidential information and deliver other malicious programs. The availability and flexibility of the stealer cause financial loss, data leakage, targeting both enterprise and personal devices. Healthcare and manufacturing sectors suffer the most from these attacks.

The malware appeared in March 2020 according to the Proofpoint investigation. Since then RedLine has just gained steam. It was on the rise during the COVID-19 pandemic and is still active. On July 1st, 2021 the malware was found on the legit-looking website that provides privacy tools. However, based on the payload analysis, only malware can be found there.

General description of RedLine malware

RedLine is an infostealer that takes information about users from browsers, systems instant messaging, and file transfer protocol clients. The main target is passwords, credit card information, username, location, autofill data, cookies, software set, and even hardware configuration like keyboard layout, UAC settings, etc. The virus is also capable of stealing cryptocurrency.

The malicious program acts as a typical stealer such as Raccoon or Pony: it uploads and downloads files, executes commands, and reports information about the infected machine. Moreover, attackers make use of RedLine to deliver ransomware, RATs, trojans, and miners.

The infostealer is quite popular as there is no problem finding it. Underground forums, C&C panels offer different options such as malware-as-a-service versions or a subscription. The price varies from $100 to $200.

One cannot tell that RedLine Stealer is a sophisticated malware like ransomware. It has the usual features typical for this family. However, it is .Net malware written in C# and the code quality is high enough to reveal an experienced programmer behind it. Cybercriminals also work hard to update malware, like downloading secondary payloads and advanced filtering features.

RedLine malware analysis

ANY.RUN allows researchers to perform the analysis and watch the RedLine in action in an interactive sandbox simulation

redline stealer process graph

Figure 1: Displays the lifecycle of RedLine in a visual form as a process graph generated by ANY.RUN

redline stealer report

Figure 2: A customizable text report generated by ANY.RUN allows users to take an even deeper look at the malware and helps to share the research results.

RedLine Stealer execution process

Typically the execution process of that stealer is plain and straightforward. Based on the analysis, the main binary launches itself and the parent process stops. It also may be dropped from another binary or be the main binary itself. When a child process is created, the main malicious activity starts – RedLine collects information from the infected system such as passwords and others, and sends it to the Command & Control panel. When all information is collected and sent, the stealer just quits execution. Stolen information is sent in both non-encrypted and base64 encoded formats.

Distribution of RedLine

Attackers are not very creative with the delivery method of the virus. However, as the ransomware story, the method works perfectly – social engineering for different email campaigns including business email compromise, spam, fake updates, ads in Google result in malicious attachments or links. We can notice the big variety of file formats here:

  • Office
  • PDF
  • RAR and ZIP
  • Executable files
  • JavaScript

If you open the files in the attachment, RedLine will download other malicious programs.

How to detect RedLine infostealer using ANY.RUN?

At the moment, analysts can quickly recognize the info stealer because it will be tagged after Suricata IDS rules are triggered. Since the malicious program sends the stolen info to its panel just right after the start of the execution, it won't take a lot of time.

Conclusion

The best way to protect your organization or device from RedLine is to be cautious with suspicious files and links that get into your email. Your staff should be aware that even trustworthy sources can lead to infection and password or other credentials’ theft. It won’t take long to check a file in a sandbox such as ANY.RUN. Several minutes will be enough to detect RedLine and you will be good to go. Stay safe.

IOCs

IP addresses
109.206.241.81
89.107.10.129
185.11.73.55
195.2.78.202
192.168.100.156
80.66.87.52
94.140.115.207
94.130.229.4
94.140.114.207
185.45.192.218
89.39.104.85
195.54.170.157
152.89.219.248
193.124.22.24
116.203.187.3
109.107.181.110
185.191.229.101
3.132.159.158
185.106.92.20
94.228.116.72
Hashes
6cdd1cfd151d62dc07cede062bfa876944f5852d2674e8fb78d776b5981e435d
a919cbe6302c31accb9793250291d9697adaa469fa63ba8d3a091af8fa61365c
622cb7f868e3b02753e04fc20d3e106ae5e07215be50f5773d806aab116c5729
a6d2d1ba6765e5245b0f62e37d9298e20c913c5a33912b98bd65a76fc5ab28ae
a082c5d78a04f8ee45164cc0b2b8ed3b22de78e55d4c75dea739a6b4c20ba5df
4aea52e3b35629d65920808a72c1bdc5c79f192bfa802ae0d565f66dce5a11b3
6c8ae92a2c5b5260712bbcc71f0446e74270cbbf9f1f888453ded76d4dc9449e
1d812bd144ae077c1b76774f3ebf8946f9833c10ce840c4b2cc578d19c52e1bf
ba4f20dce97640a72783e91f1ae72f6d49379d19f96af1ee16411d0e03588027
c37e330f97f7a2b2ec7c3ad76f1770dc75198b384dd6be64b6c5c8aa336c50da
7d2fedc23aff155a0fc9027a0148aa5b184f5983d47e08bc051707f72cc83684
be10cd4e17ae4f050049335d366759a1d79bf30685a82c7931672b7cfdd34e84
be21f545f9fe4431d9a3c1369dba40ec4cd395106caef6c51c7ce04e6f44419d
ff90f911f438fbfc542cb367e9007f5c39f10a629cfc599209a9880fd338e5a6
6ce5f204a91d345a9ad811053b6557d5a187aa76df44fea5bb2a972bce333c5d
7f210f9961b8ba954050558fa4b85120c876d304aae0d3edbb6576f0fa2661be
bba50bad1c1ca3d8e311cf17c45693949838403569d6fdb49fe0699eb9ee3202
31d7f3815e10a3373919a0e739b613a6f671d8dece23ff338eede2584e5c99fa
533777febfff2581ea3c3f1046ee55d205d2779515b3a15346c674c15d228b9e
7eff4f2344e8b0857d8045e73a199fc159ce1cbcd6a405606dd5e01c437fe6d0
Domains
zerit.top
fuyt.org
tzgl.org
kotob.top
securebiz.org
www.thecitizensforum.org
wrrst.top
tbpws.top
astdg.top
paymenthacks.com
zaraat.xyz
statcounter.biz
www.xn--anibalderedao-7eb3d.com
korleva.ru
www.paradajaime.com
worldview.word
www.soukid.com
www.simplefinest.com
virustotalo.com
documents-bjc.org

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More