See Cynet 360 AutoXDR™ in Action

Prefer a one-on-one demo? Click here

By clicking next I consent to the use of my personal data by Cynet in accordance with Cynet's Privacy Policy and by its partners

Request a Demo

Attack Techniques - Hands On

Brought to you by Cynet's CyOps Center

Cynet's 24/7 MDR with the latest security updates and reports

Download the Cyops Solution Brief

RedLine is on track, Next stop – Your credentials

Written by: Eldar Azan and Ronen Ahdut

Introduction

RedLine stealer was first discovered in early 2020. It is a highly effective info-stealer that targets user’s credentials from installed apps, website browsers, and also information about the host itself(OS, CPU, Antivirus Software used, Etc).
It is offered for sale on telegram and underground forums as “Malware as a service” (MaaS), where the users pay the fee and gain access to the entire infrastructure and run their campaign, combined with support offered for users via a dedicated telegram channel, it is one of the most common info-stealers today.

Unlocking the safe – RedLine Stealer

Over the last month, the Cynet CTI team has engaged with the popular new info stealer called RedLine, In this article, we will cover the RedLine distribution methods, known and less known vectors, and present an overview of its evolution.

Samples of RedLine malware are been uploaded daily to MalwareBazaar(by abuse.ch)

Graphical user interface, application Description automatically generated

Observing the statistics provided by ANY.RUN, RedLine is the most popular threat in the last month.

Graphical user interface Description automatically generated

 

RedLine Overview

RedLine Stealer is another Malware-as-a-Service (MaaS) that allows users to buy a limited license and use its ready-built infrastructure. RedLine aims to be easy to use and even has live support forums and a Telegram channel.

This has helped with widespread adoption, making RedLine very successful. It features a user-friendly UI that lets users with even basic knowledge manage a highly active botnet.

The output (known on darknet marketplaces as “Stealer logs”) is the result of a pre-defined configuration file that allows the stealer to act swiftly.

Stealer logs are offered for sale but might also be dumped for free. With these logs, hosts are completely compromised and cause their entire network to be vulnerable.

RedLine stealer logs for sale over XSS Telegram

Graphical user interface, text Description automatically generated

While the infrastructure is offered for sale, the buyers are mostly responsible for their distribution method. RedLine mainly spreads via phishing emails luring victims to download its payload, but recently RedLine has been seen spreading via Youtube scam videos.

While showing content related to gaming, Bitcoin, or cracking software, a download link will be posted in the description of the supposed program. Users who click the link infect themselves with the stealer.

RedLine as MaaS uses a telegram channel to support their customers:

RedLine Telegram Channel

A picture containing text Description automatically generated

Here is an example of RedLine output leak data:

RedLine Output

Graphical user interface Description automatically generated

Note that RedLine also reveals hardware and antivirus software data, which could assist attackers in the reconnaissance for a future attack.

Attackers could also search for enterprise emails, further expanding their reach without any action needed.

 

New Vector, Same Stealer – Distributed via Youtube

As mentioned above, RedLine uses a new method of camouflage for bitcoin software along with a false explanation video leading to a download link for RedLine malware:

A screenshot of a computer Description automatically generated with medium confidence

The links mentioned in the Youtube video lead to a packed RedLine malware that is deployed on the victim’s endpoint:

Packed RedLine Stealer

Graphical user interface, text, application Description automatically generated

On top of that RedLine malware is also capable of stealing stored passwords from popular web browsers such as Chrome and Edge.
Chromium-based browsers store encrypted passwords and yet RedLine can decrypt these passwords by impersonating the infected user, RedLine malware will also gather information about “blacklisted” sites which the user declines to save a password for them, this information can be very useful for the threat actors in future attacks.

RedLine logs were obtained by Bob Diachenko a security researcher who locate a server that contains over 6 million RedLine logs.

Graphical user interface, text, application Description automatically generated

 

Some of the stolen data(441,657 logs) were shared with the “Have I Been Pwned” service:

Graphical user interface, website Description automatically generated

 

Kill Chain Overview

A picture containing graphical user interface Description automatically generated

Mitre Attack-Navigator

RedLine Stealer Technical Analysis

In this case, we analyze the sample from the youtube scam video we mentioned above mapping the sample flow according to the Mitre Attack framework.

A picture containing text Description automatically generated The full process tree of the RedLine builder execution flow:

Initial access

Can be chosen by the attacker, Redline provides the panel and build maker.
The most common vector used is via phishing, but attackers get creative and upgrade their methods, as seen with the Youtube example given in the article.

Defense Evasion

Obfuscated Files or Information: Software Packing

Redline is known to use a packer to evade signature-based detections, and to harden the malware analysis procedure.
While users can use their desired packer, we have witnessed a high use of the VMProtect packer.

First, the RedLine packed version is a 32bit PE file that contains high entropy and packed sections:

Graphical user interface, website Description automatically generated

Second, the unpacked version of RedLine is a 64bit PE file that contains high entropy and VMProtection:

A screenshot of a computer Description automatically generated with medium confidence

Entropy is the measure of randomness in relation to the set of data, it is measured on a scale of 0-8.
The more random the data, the higher the entropy.
This generally suggests a packed file, one that will require a dynamic analysis.
Worth mentioning, high entropy and packed files exist in legitimate processes as well, But usually files with entropy higher than 7.2 are marked as suspicious and are probably packed/obfuscated.

VMProtect is a software that can assist to protect the developer’s code from being executed on a virtual machine which makes reverse engineering quite difficult because of the complicity to read the obfuscated data.

Impair Defenses: Disable or modify tools

RedLine is using a known method to impair defenses adding directories for exclusions in the Windows Defender Anti Virus, by doing that these folders can be used to execute the malicious activity in addition another command is been executed for specific extensions every executable or DLL file that will be executed from those directories will be ignored by the AV:

Masquerading: Match Legitimate Name or Location

Legitimate names were observed using the names “sihost32.exe” and “services32.exe”:

Calendar Description automatically generated

This is done by the attackers for evading defenses and maintaining a low profile.

 

Persistence

The purpose of the persistency technique is used by the malware author to maintain the malware foothold on the endpoint and ensure lifeline in case of any interruptions during the execution flow and complete the task after reboot, etc…, This technique could be implemented via known common methods such as Registry Keys, Schedule Task, DLLs Applications, Startup Folders, Process Injections and more.

In this case, we are witnessing the persistence of the RedLine malware in two methods:

Text, table Description automatically generated Adding the malware payload to the Run key.

Graphical user interface, text, application Description automatically generated Abusing Windows Task Scheduler service to gain persistency on every logon.

Cynet360 VS RedLine

The CyOps team is working around the clock to enhance detections and design new ones by implementing IOCs, memory patterns SSDEEP, etc.

As you can see below we took a sample of RedLine and executed it in our labs.
Note that our environment action is set to alert only, so as not to interrupt the stealer flow.
This lets Cynet detect every step of the attack.

File Dumped on the Disk
– Cynet’s AV/AI engine detects a malicious file that was dumped on the disk:

A screenshot of a computer Description automatically generated with medium confidence

A screenshot of a computer Description automatically generated with medium confidence

A screenshot of a computer Description automatically generated with medium confidence

 

Process Monitoring CyAlert Heuristic Activity – Suspicious Conhost Process

Graphical user interface, text, application Description automatically generated

 

Process Monitoring CyAlert Heuristic Activity – Reg Add Run Key Persistence

Graphical user interface, text, application Description automatically generated

 

RedLine telemetry data by Cynet360

Besides the Cynet360 detection mechanism, Cynet360 offers a File Monitor feature that can collect forensic data and monitor files within the system.

Persistency registry key added through command-line utility:

PowerShell execution commands to impair defenses:

Behind enemy lines – RedLine Stealer Cracked version

As mentioned earlier, Redline offers high availability for anyone who is willing to pay for it, with a support bot on telegram and a vast network of users, Redline is one of the most common MaaS available.

Cracked versions started also to appear online, this has strengthened Redline’s usage by non-paying users as well, with the option of running the malware without the need to pay for it- resulting in a higher than already Redline user.

To better understand Redline, we wanted to try it ourselves.

We were able to retrieve a cracked version of the infamous stealer from an underground forum:

Text Description automatically generated

With it, we can get a better understanding of how it behaves, its features, and its effectiveness.

The cracked version offers a glimpse into Redline’s Panel from the attacker’s point of view, after successfully installing and executing it, we are greeted with the following :

Text Description automatically generated with low confidence

Redline’s operator panel:

A screenshot of a computer Description automatically generated

As seen above, Redline offers more than just information theft, browsing the different modules we can see :
Loader tasks:

A screenshot of a computer Description automatically generated with medium confidence

We can see that the loader module offers more advanced post-infection capabilities such as:

  • Downloading a file to the host
  • Downloading and executing a file
  • Open the desired link
  • Open CMD on the host
  • Another option is called RunPE.

Redline comes with an informative guide both in English and Russian, in it we can see RunPE’s capabilities:

The user guide also provides examples for each loader capability, RunPE’s example:

Graphical user interface, text Description automatically generated

Apart from simply downloading and running a file on an infected host, Redline offers process injection capabilities, making it much more than just a stealer.

The Builder module allows the attacker to make desired builds of the malware:

A screenshot of a computer Description automatically generated with medium confidence

According to the guide, users can make different builds for different targets, this way they can better differentiate the output from each infected host/group.

Settings:

Under the setting section, users can choose which stealer modules will be active, as well as supply desired files and domains that are targeted:

A screenshot of a computer Description automatically generated with medium confidence

Loader Tasks Dive

As mentioned above Redline is offering more tasks options that can be modified before the creation of the builder.

Open link

One of the tasks that Redline offer is to deploy any site on the victim endpoint, this task will launch the site by the builder:
Graphical user interface, application Description automatically generated

As expected when the builder is executed the site is opened by the default web browser on the machine:
Graphical user interface, website Description automatically generated

This capability can be used for credentials theft or to perform other malicious content.

Command Line

One of the most powerful tasks the Redline control panel has is the command-line utility which can be used for Remote Code Execution(RCE) which can be configured easily by these steps:

Graphical user interface, application Description automatically generated

As excepted once the builder executes we received an output:

Graphical user interface, application Description automatically generated

Conclusion

Redline has evolved from “just” a stealer, into a fully capable botnet.
Its characteristics, price, availability online, online\offline(detailed FAQ readme file) support, has made Redline the number one stealer currently active.

Unlike large threat actors who usually don’t share their tools, Redline is available to everyone willing to pay( or find the cracked version), this gives enormous power to the users.
Some Redline users have a habit of sharing the most recent logs on underground forums, attackers can use those logs to infiltrate networks using the compromised credentials.

All of the mentioned above makes Redline shine in the threat landscape, and due to the analysis presented above, Redline steps up and earns its place next to the top threats In todays threat landscape.

 

 

Let’s Get Started

Ready to extend visibility, threat detection and response?

Request a Demo