top of page

RedLine Stealer : A new variant surfaces, Deploying using Batch Script

cyfirma

17 Sept 2023

RedLine stealer was first discovered in March 2020 and is one of the most popular stealer malwares. It is designed to steal sensitive information from compromised systems. It is being sold by cybercriminals on underground forums as MaaS (malware-as-a-service). Threat actors are leveraging RedLine Stealer due to its availability and flexibility. This malware is capable of harvesting information from web browsers such as saved credentials and payment card details. It also looks over the system for information, including username, hardware configuration, installed general and security software, installed VPN client, network configurations, cryptocurrency related data, and sends the stolen information to the adversary.

RedLine is an information stealer malware that uses MaaS (malware-as-a-service) model, a dangerous form of malware that can cause significant damage to organizations and end users. It is being distributed by various means and threat actors are continuously making changes to the techniques to make it undetectable for an extended period of time. It is also being sold on the underground forums and encouraging cybercriminals to accomplish their evil intentions.


The best way to protect the organization and end user from the RedLine Stealer is to be cautious with suspicious links and files received on the emails. Users should be aware that even trustworthy sources can lead to infection and data theft. Hardening the system, network and application security can help to reduce the risk of infection. Using up-to-date anti-malware software and adaptive organizational security policy is essential for effective protection.


RedLine Stealer CAPABILITIES

The analysis of the Redline Stealer provides insights of it and reveals its functionality. Based on the analysis and the extracted data, followings are the capabilities of the RedLine Stealer malware:

  • Credential stealing

  • Capable of extracting sensitive data from web-browsers, email clients and other communication apps

  • Harvesting system user data

  • Targets financial data, such as Cryptocurrency wallet and save credit card data

  • Steals network and FTP login information

  • Looks for Document at various locations on the compromised system

  • Exfiltrates hardware and installed software information

  • Steals VPN configuration data

  • Looks for the stored cryptographic certificates

  • Collects information for system profiling, such as location data, IP address, city, country, language

  • Exfiltrates the gathered data to the adversary at regular intervals


KEY FINDINGS

  • RedLine Stealer is one of the emerging stealer malwares distributed under the guise of fake documents or software.

  • It uses multi-level obfuscation to avoid detection.

  • Uses obfuscated PowerShell script as dropper and to execute the malware.

  • Drops the malware hidden as operating system protected file.

  • Copies the legitimate PowerShell executable to the current working directory with a different name and runs to disguise the child process as legit.

  • It is capable of extracting sensitive data from a wide range of sources such as web-browsers, email clients, messaging apps.

  • Looks for financial data such as saved card details, cryptocurrency wallet database.

  • Searches the compromised system for the installed software, system certificates, connected phones data, VPN client, text and office documents, wallet, and seed information.

  • It can steal user-specific data stored by the FileZilla FTP.

  • Also gathers the various information on compromised system including IP address, location, username, operating system version, system configuration.

  • Exfiltrates the gathered data to the adversary at regular intervals.

  • The IP address of the RedLine Stealer C2 server is “80[.]85[.]152[.]191[:]27465” and belongs to the host “kosarrezanezhad2022[.]pserver[.]space”.


bottom of page