Mayakshi
Learning Centre for Cyber Security & Privacy Professionals
cyfirma
17 Sept 2023
RedLine stealer was first discovered in March 2020 and is one of the most popular stealer malwares. It is designed to steal sensitive information from compromised systems. It is being sold by cybercriminals on underground forums as MaaS (malware-as-a-service). Threat actors are leveraging RedLine Stealer due to its availability and flexibility. This malware is capable of harvesting information from web browsers such as saved credentials and payment card details. It also looks over the system for information, including username, hardware configuration, installed general and security software, installed VPN client, network configurations, cryptocurrency related data, and sends the stolen information to the adversary.
RedLine is an information stealer malware that uses MaaS (malware-as-a-service) model, a dangerous form of malware that can cause significant damage to organizations and end users. It is being distributed by various means and threat actors are continuously making changes to the techniques to make it undetectable for an extended period of time. It is also being sold on the underground forums and encouraging cybercriminals to accomplish their evil intentions.
The best way to protect the organization and end user from the RedLine Stealer is to be cautious with suspicious links and files received on the emails. Users should be aware that even trustworthy sources can lead to infection and data theft. Hardening the system, network and application security can help to reduce the risk of infection. Using up-to-date anti-malware software and adaptive organizational security policy is essential for effective protection.
RedLine Stealer CAPABILITIES
The analysis of the Redline Stealer provides insights of it and reveals its functionality. Based on the analysis and the extracted data, followings are the capabilities of the RedLine Stealer malware:
Credential stealing
Capable of extracting sensitive data from web-browsers, email clients and other communication apps
Harvesting system user data
Targets financial data, such as Cryptocurrency wallet and save credit card data
Steals network and FTP login information
Looks for Document at various locations on the compromised system
Exfiltrates hardware and installed software information
Steals VPN configuration data
Looks for the stored cryptographic certificates
Collects information for system profiling, such as location data, IP address, city, country, language
Exfiltrates the gathered data to the adversary at regular intervals
KEY FINDINGS
RedLine Stealer is one of the emerging stealer malwares distributed under the guise of fake documents or software.
It uses multi-level obfuscation to avoid detection.
Uses obfuscated PowerShell script as dropper and to execute the malware.
Drops the malware hidden as operating system protected file.
Copies the legitimate PowerShell executable to the current working directory with a different name and runs to disguise the child process as legit.
It is capable of extracting sensitive data from a wide range of sources such as web-browsers, email clients, messaging apps.
Looks for financial data such as saved card details, cryptocurrency wallet database.
Searches the compromised system for the installed software, system certificates, connected phones data, VPN client, text and office documents, wallet, and seed information.
It can steal user-specific data stored by the FileZilla FTP.
Also gathers the various information on compromised system including IP address, location, username, operating system version, system configuration.
Exfiltrates the gathered data to the adversary at regular intervals.
The IP address of the RedLine Stealer C2 server is “80[.]85[.]152[.]191[:]27465” and belongs to the host “kosarrezanezhad2022[.]pserver[.]space”.