Redline stealer malware: Full analysis
Redline malware was first observed in March 2020, but it continues to be the most prominent cyber threat impacting users worldwide in 2021. According to the AnyRun trend tracker, 1,473 samples were submitted onto the online sandbox in September 2021, an increase of 377 samples in contrast to August, with a total of 2,600 domains and 405 unique IP addresses.
Figure 1: Total of samples Redline malware in September 2021 (source).
Redline is a piece of malware that has been updated during the last few months, with features for credentials exfiltration and cryptocurrency wallets, browser information and FTP authentication data. It also collects information about the infected machine, such as OS information, system hardware, processes, system language and more. Capabilities to load remote payloads and a SOAP protocol for C2 communication were also implemented — a clear sign this malicious piece should be put under the cyber radar.
Become a certified reverse engineer!
Modus Operandi of Redline malware
This info stealer operates on a MaaS (malware-as-a-service) model and is distributed on underground forums according to the users’ needs; $150 lite version; $200 pro version; $100/month subscription option. In the Telegram channel, the malware can be acquired and paid in Bitcoin, Ethereum, XMR, LTC and USDT.
Figure 2: Redline official Telegram channel.
Figure 3 below shows the features of Redline shared by criminals in a specific forum where it is distributed in the wild by its authors.
Figure 3: Detailed features of Redline malware.
The vehicle used by criminals to disseminate the Redline stealer is the email. A malicious and convincing message is sent along with an URL responsible for downloading the binary file installed on the target machine. Healthcare (taking advantage of the COVID-19 situation) and manufacturing were two industry sectors affected by this threat in the last few months.
Figure 4: Email template of the Redline malware related to the COVID-19 pandemic situation.
Redline C2 server
This malware is written in C# and uses a SOAP API to establish communication with its C2 server. As observed on the clandestine Horus Eyes RAT, this stealer takes advantage of the powerful features of the Telegram API to notify criminals about new infections in an easy way. Some details about this mechanism can be seen below.
Figure 5: Redline Telegram bot configuration.
After receiving a ping via a Telegram channel, criminals can interact with the Redline agent installed on the victim’s device using the C2 panel installed on a Windows machine. The command and control server is also written in C# and its communication is based on a WSDL with a SOAP API to interact with the malicious agents.
As observed below, the C2 panel includes several features, including:
- Displaying information from the infected machine
- Exporting and commenting details
- Searching mechanism
- Creating and downloading remote files
- Running tasks such as password exfiltration, FTP data, Browser details including passwords and so on.
In addition, the C2 panel can execute additional payloads on the agents-side and even open specific URLs on the default web browser. Figure 6 shows some details about the Redline C2 panel with sensitive data redacted and the code block responsible for executing extra payloads.
Figure 6: Details about the Redline C2 panel and block of code responsible for executing additional payloads.
Although this malware is equipped with a lot of modern features also observed on stealers of this nature, Redline doesn’t use cryptography to create a secure channel when it communicates with the C2 server, and all the packets and data can be easily identified on the network layer by security appliances by creating customized rules to detect it.
Figure 7: SOAP envelope of Redline malware when a specific task is started (password stealer module).
Understanding Redline malware
Redline malware is a recent malware written in C# with notable growth in 2021 and disseminated using templates related to the COVID-19 pandemic. It includes modules of stealing credentials and collecting information from the infected machine and the capability to download remote files and execute additional payloads, including other malware.
In general, users should be trained against threats of this nature and focus on the social engineering schemas that proliferate via email. The email continues to be the most used vehicle for distributing malicious campaigns in the wild, especially messages with hardcoded URLs or files attached that can lead to the deployment of malicious payloads.
Let’s take malware protection seriously and stop from scratch the dissemination of these kinds of threats with practical awareness training.
Sources
- New Redline Password Stealer Malware, Proofpoint
- Redline Stealer, CyberInt
- Redline Trend, AnyRun
- HER analysis, Segurança-Informática
- Exam Pass Guarantee
- Live expert instruction
- Hands-on labs
- CREA exam voucher
In this Series
- Redline stealer malware: Full analysis
- How AsyncRAT is escaping security defenses
- Chrome extensions used to steal users' secrets
- Luna ransomware encrypts Windows, Linux and ESXi systems
- Bahamut Android malware and its new features
- LockBit 3.0 ransomware analysis
- AstraLocker releases the ransomware decryptors
- Analysis of Nokoyawa ransomware
- Goodwill ransomware group is propagating unusual demands to get the decryption key
- Dangerous IoT EnemyBot botnet is now attacking other targets
- Fileless malware uses event logger to hide malware
- Nerbian RAT Using COVID-19 templates
- Popular evasion techniques in the malware landscape
- Sunnyday ransomware analysis
- 9 online tools for malware analysis
- Blackguard malware analysis
- Behind Conti: Leaks reveal inner workings of ransomware group
- ZLoader: What it is, how it works and how to prevent it | Malware spotlight [2022 update]
- WhisperGate: A destructive malware to destroy Ukraine computer systems
- Electron Bot Malware is disseminated via Microsoft's Official Store and is capable of controlling social media apps
- SockDetour: the backdoor impacting U.S. defense contractors
- HermeticWiper malware used against Ukraine
- MyloBot 2022: A botnet that only sends extortion emails
- Mars Stealer malware analysis
- How to remove ransomware: Best free decryption tools and resources
- Purple Fox rootkit and how it has been disseminated in the wild
- Deadbolt ransomware: The real weapon against IoT devices
- Log4j - the remote code execution vulnerability that stopped the world
- Rook ransomware analysis
- Modus operandi of BlackByte ransomware
- Emotet malware returns
- Mekotio banker trojan returns with new TTP
- Android malware BrazKing returns
- Malware instrumentation with Frida
- Malware analysis arsenal: Top 15 tools
- A full analysis of the BlackMatter ransomware
- A full analysis of Horus Eyes RAT
- REvil ransomware: Lessons learned from a major supply chain attack
- Pingback malware: How it works and how to prevent it
- Android malware worm auto-spreads via WhatsApp messages
- Malware analysis: Ragnarok ransomware
- Taidoor malware: what it is, how it works and how to prevent it | malware spotlight
- SUNBURST backdoor malware: What it is, how it works, and how to prevent it | Malware spotlight
- ZHtrap botnet: How it works and how to prevent it
- DearCry ransomware: How it works and how to prevent it
- How criminals are using Windows Background Intelligent Transfer Service
- How the Javali trojan weaponizes Avira antivirus
- HelloKitty: The ransomware affecting CD Projekt Red and Cyberpunk 2077
- DreamBus Botnet: An analysis
- Kobalos malware: A complex Linux threat
- What is Operation Dream Job by Lazarus?
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Malware analysis
Malware analysis
Malware analysis
Malware analysis