Cyble-RedLine-Steale-Malware-Telegram

A Deep-dive Analysis of RedLine Stealer Malware

Recently Cyble Research Lab has identified that the Threat Actor (TA) behind RedLine Stealer malware provides their service through Telegram, as shown in Figure 1. This malware belongs to the stealer family and can steal various victims’ data, including browser credentials, cookies, system information, processor details, etc. The rich feature of this stealer makes it popular.

Figure 1 Telegram Channel of RedLine Stealer

RedLine Stealer has been active in the market since 2020 and is targeting victims using various applications and methods that include phishing. Cyble Research Lab has chosen one of the many available samples available on the surface web on which to perform our analysis.

Technical Analysis

Cyble Research Lab analysis starts with static analysis. In Figure 2, we can see that the RedLineStealer executable is a Windows-based x86 architecture graphical user interface (GUI) application written in the .NET language.

Figure 2 Static details of RedLine Stealer

Upon execution of the malware, it creates a subprocess with the same name as shown in Figure 3.

Figure 3 Process tree of RedLine Stealer

In Figure 4, we can see the overall activity of the malware after execution.

Figure 4 Execution flow of the RedLine Stealer

The malware sent the XML data shown in Table 1 to our fake Command & Control (C2) Server shown in Figure 5.

<s:Envelope xmlns:s=”http://schemas.xmlsoap.org/soap/envelope/”><s:Body><CheckConnect xmlns=”http://tempuri.org/”/></s:Body></s:Envelope&gt;
Table 1 Malware sends the XML data to C2
Figure 5 RedLine Stealer captured

When we decompiled the malware, the code did not appear malicious – in the code, some modules referenced the name TicTacToe, as shown in Figure 6.

Figure 6 Decompiled Code of RedLine Stealer

However, our analysis leads to the code shown in Figure 7, indicating that the code might have used the Reflection method to load the Stealer functionality dynamically.

Figure 7 Reflection Code

While performing the network analysis, we found that the malware was trying to communicate to the domain name mentioned in Table 2.

URLDescription
newlife957[.]duckdns[.]org[:]7225Attacker’s C2
api[.]ip[.]sbLegitimate Website
Table 2 Malware communication URL’s

The malware used api[.]ip[.]sb to get the victim’s public IP address. Additionally, as shown in Figure 8, the malware triggered a Domain Name System (DNS) request for resolving the IP address of api[.]ip[.]sb.

Figure 8 DNS Query for api[.]ip[.]sb

Initially, when the malware tries to communicate with the attacker’s C2, the C2 sends the result with <CheckConnectResult> tag with the value true to let the malware know the C2 is up and running, as shown in Figure 9.

Figure 9 Initial Handshake between malware and C2

The malware then sends Request for EnvironmentSettings to the attacker, as shown in Figure 10.

Figure 10 Second Request triggered from malware

Once the C2 receives the above request, it sends the configuration details to the malware consisting of the data required by the C2 as a response. The response we can see in Figure 11.

Figure 11 The Response received from C2 of C2 Request

The C2 has provided the response in XML format to the malware; these details act as a configuration and commands. The Response details are shown in Table 3.

TagsDescription
BlockedCountryThe List of Country which needs to blacklist by malware
BlockedIPThe List of IP which needs to blacklisted by malware
Object4True
Object6False
ScanBrowsersFlag for telling the malware for scanning the browsers.
ScanChromeBrowsersPathsList of Browser Path
ScanDiscordFlag for telling the malware for scan for Discord.
ScanFTPFlag for telling the malware for scan for SFTP.
ScanFilesFlag for telling the malware to scan the files
ScanFilesPathsList of extensions which malware needs to search in Current user Desktop and Document Folder
ScanGeckoBrowsersPathsList of Gecko Browsers Path
ScanScreenFlag for Capturing the Current Screen
ScanSteamFlag for enabling Steam
ScanTelegramFlag for Scan Telegram files for credentials.
ScanVPNFlag for Scanning the VPN files for credentials.
ScanWalletsFlag for Scanning the various wallets present in the victim’s machine.
Table 3 Commands/Configuration received from C2

Once the malware receives the response, it collects the data shown in Table 4 and sends it to TA C2.

TagsDescription
CityThe Victim City
CountryThe Victim’s Country
File LocationThe Full path from where the malware has been executed
HardwareVictim’s Hardware Information
IPv4Public IP of the Victim
LanguageThe Victim’s OS language
MachineNameThe Victim Machine Name
MonitorThe Screenshot of the current Window
OSVersionVictim’s OS Details
AvailableLanguagesSupported languages by the OS
ScannedBrowserGet the Details like Browser Name, Profile, CC, Cookies and Login Credentials.
FtpConnectionsFTP details are present in the Victim machine
GameChatFilesChat Files of Games
GameLauncherFilesGame Launcher Files List
InstalledBrowsersInstalled Browsers List
MessageClientFilesMessagingClientFiles
NordNordVPN Credentials
OpenOpenVPN Credentials
ProcessesList of Processes
ScannedFilesFiles found by the malware and uploaded on the C2 URL
ScannedWalletsGet the details of wallets available on the victim system.
SecurityUtilsWindows defender
SoftwaresSoftware List
SystemHardwaresDetails like RAM, Processor, Graphic Memory etc
ScreenSizeThe Victim’s Screen Size
SeenBeforeNew Victim or Old?
TimeZoneTimeZone of Victim
ZipCodePin/Zip Code of the Victim
Table 4 Details shared by the malware to C2

The Sample Packet which the malware has triggered to the C2 URL is shown in Figure 12.

Figure 12 Victim’s details sent to C2 URL

The details shown in Tables 3 and 4 have subtags as well. These subtags include browser list, VPN supported list, etc. For example, in Table 5, we have shown the top 5 browsers supported by RedLine Stealer.

Top 5 Browser List
Google Chrome
Opera
Chromium
360Browser
Chromodo
Table 5 Top 5 browsers list

Conclusion

RedLine Stealer malware stands out in the stealer family because of its rich capabilities; the stealer payload has been used in multiple forms like crack tools and is available on the surface web. Also, the TA behind RedLine Stealer is active and selling this malware as a service.

Cyble Research Labs is continuously monitoring security threats, whether they are ongoing or emerging. We will continue to update our readers with our latest findings.

Our Recommendations

We have listed some of the essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the suggestions given below:

  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic. 
  • Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.    
  • Refrain from opening untrusted links and email attachments without verifying their authenticity.
  • Conduct regular backup practices and keep those backups offline or in a separate network.

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
Initial AccessT1566Phishing
ExecutionT1204User Execution
Credential AccessT1555
T1539
T1552
Credentials from Password Stores
Steal Web Session Cookie
Unsecured Credentials
CollectionT1113Screen Capture
DiscoveryT1087
T1518
T1057
T1124
T1007
T1614
T1120
Account Discovery
Software Discovery
Process Discovery
System Time Discovery
System Service Discovery
System Location Discovery
Peripheral Device Discovery
Command and ControlT1571
T1095
Non-Standard Port
Non-Application Layer Protocol
ExfiltrationT1041Exfiltration Over C2 Channel  

Indicators of Compromise (IoCs):  

IndicatorsIndicator typeDescription
newlife957[.]duckdns[.]org[:]7225URLC2 URL
76ca4a8afe19ab46e2f7f364fb76a166ce62efc7cf191f0f1be5ffff7f443f1bHashSHA-256
258445b5c086f67d1157c2998968bad83a64ca3bab88bfd9d73654819bb46463HashSHA-256
1741984cc5f9a62d34d180943658637523ac102db4a544bb6812be1e0507a348HashSHA-256
ee4608483ebb8615dfe71924c5a6bc4b0f1a5d0eb8b453923b3f2ce5cd00784bHashSHA-256
9dc934f7f22e493a1c1d97107edc85ccce4e1be155b2cc038be8d9a57b2e430fHashSHA-256

 

About Us 

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.  

%d bloggers like this: