RedLine
Type of Malware
InfoStealer
Country of Origin
Unknown
Date of initial activity
2020
Targeted Countries
Global
Addittional Names
RECORDSTEALER
Motivation
Data Theft
Attack Vectors
Phishing
Targeted Systems
Windows
Type of information Stolen
Browser Information
Cryptocurrencies
Login Credentials
System Information
Overview
RedLine Stealer is a trending Infostealer and was first observed in March 2020. Sold as a MaaS (Malware-as-a-Service), and often distributed via malicious email attachments, it has all the capabilities of modern infostealer – web browser information collection (credit card details, session cookies and autocomplete data), harvesting of cryptocurrency wallets, ability to download additional payloads, and more.
Targets
Targets Regular Users. The list of wallets targeted by RedLine stealer includes Armory, AtomicWallet, BitcoinCore, Bytecoin, DashCore, Electrum, Ethereum, LitecoinCore, Monero, Exodus, Zcash, and Jaxx. Targeted VPN clients are ProtonVPN, OpenVPN, and NordVPN. All Gecko-based and Chromium-based web browsers.
Tools/ Techniques Used
The vehicle used by criminals to disseminate the Redline stealer is the email. A malicious and convincing message is sent along with an URL responsible for downloading the binary file installed on the target machine. Healthcare (taking advantage of the COVID-19 situation) and manufacturing were two industry sectors affected by this threat in the last few months.
This malware is written in C# and uses a SOAP API to establish communication with its C2 server. This stealer takes advantage of the powerful features of the Telegram API to notify criminals about new infections in an easy way. After receiving a ping via a Telegram channel, criminals can interact with the Redline agent installed on the victim’s device using the C2 panel installed on a Windows machine.
The command and control server is also written in C# and its communication is based on a WSDL with a SOAP API to interact with the malicious agents. In addition, the C2 panel can execute additional payloads on the agents-side and even open specific URLs on the default web browser.
Although this malware is equipped with a lot of modern features also observed on stealers of this nature, Redline doesn’t use cryptography to create a secure channel when it communicates with the C2 server, and all the packets and data can be easily identified on the network layer by security appliances by creating customized rules to detect it.
MITRE Tactics and Techniques
Initial Access:
Phishing (T1566): RedLine malware is commonly distributed through phishing emails or malicious links designed to lure users into downloading and executing the malware.
Execution:
User Execution (T1203): RedLine often relies on user interaction to execute, such as opening a malicious email attachment or running a compromised installer.
Persistence:
Registry Run Keys / Startup Folder (T1547.001): To ensure it starts automatically, RedLine may create or modify registry entries or add shortcuts.
Privilege Escalation:
Exploitation for Client Execution (T1203): RedLine can exploit vulnerabilities in applications or operating systems to gain elevated privileges if needed.
Defense Evasion:
Obfuscated Files or Information (T1027): The malware uses obfuscation techniques to avoid detection by security tools. Code Signing (T1116): RedLine might use code signing certificates to appear legitimate and evade security measures.
Credential Access:
Credential Dumping (T1003): RedLine targets and exfiltrates credentials stored in browsers and other applications. Input Capture (T1056): It captures keystrokes or scrapes sensitive information from web forms.
Collection:
Data from Information Repositories (T1213): RedLine collects data from web browsers, including stored passwords and session cookies. Clipboard Data (T1115): It may monitor and steal clipboard data, which can include sensitive information copied by the user.
Exfiltration:
Exfiltration Over Command and Control Channel (T1041): Stolen data is sent to command and control (C2) servers using encrypted communications to avoid detection.
Command and Control:
Standard Application Layer Protocol (T1071): RedLine communicates with its C2 servers using standard web protocols such as HTTP or HTTPS to blend with legitimate traffic.
References
The post Redline Stealer (Infostealer) – Malware first appeared on CyberMaterial.