Recently Cyble Research Lab has identified that the Threat Actor (TA) behind RedLine Stealer malware provides their service through Telegram, as shown in Figure 1. This malware belongs to the stealer family and can steal various victims’ data, including browser credentials, cookies, system information, processor details, etc. The rich feature of this stealer makes it popular.
RedLine Stealer has been active in the market since 2020 and is targeting victims using various applications and methods that include phishing. Cyble Research Lab has chosen one of the many available samples available on the surface web on which to perform our analysis.
Technical Analysis
Cyble Research Lab analysis starts with static analysis. In Figure 2, we can see that the RedLineStealer executable is a Windows-based x86 architecture graphical user interface (GUI) application written in the .NET language.
Upon execution of the malware, it creates a subprocess with the same name as shown in Figure 3.
In Figure 4, we can see the overall activity of the malware after execution.
The malware sent the XML data shown in Table 1 to our fake Command & Control (C2) Server shown in Figure 5.
| <s:Envelope xmlns:s=”http://schemas.xmlsoap.org/soap/envelope/”><s:Body><CheckConnect xmlns=”http://tempuri.org/”/></s:Body></s:Envelope> |
When we decompiled the malware, the code did not appear malicious – in the code, some modules referenced the name TicTacToe, as shown in Figure 6.
However, our analysis leads to the code shown in Figure 7, indicating that the code might have used the Reflection method to load the Stealer functionality dynamically.
While performing the network analysis, we found that the malware was trying to communicate to the domain name mentioned in Table 2.
| URL | Description |
| newlife957[.]duckdns[.]org[:]7225 | Attacker’s C2 |
| api[.]ip[.]sb | Legitimate Website |
The malware used api[.]ip[.]sb to get the victim’s public IP address. Additionally, as shown in Figure 8, the malware triggered a Domain Name System (DNS) request for resolving the IP address of api[.]ip[.]sb.
Initially, when the malware tries to communicate with the attacker’s C2, the C2 sends the result with <CheckConnectResult> tag with the value true to let the malware know the C2 is up and running, as shown in Figure 9.
The malware then sends Request for EnvironmentSettings to the attacker, as shown in Figure 10.
Once the C2 receives the above request, it sends the configuration details to the malware consisting of the data required by the C2 as a response. The response we can see in Figure 11.
The C2 has provided the response in XML format to the malware; these details act as a configuration and commands. The Response details are shown in Table 3.
| Tags | Description |
| BlockedCountry | The List of Country which needs to blacklist by malware |
| BlockedIP | The List of IP which needs to blacklisted by malware |
| Object4 | True |
| Object6 | False |
| ScanBrowsers | Flag for telling the malware for scanning the browsers. |
| ScanChromeBrowsersPaths | List of Browser Path |
| ScanDiscord | Flag for telling the malware for scan for Discord. |
| ScanFTP | Flag for telling the malware for scan for SFTP. |
| ScanFiles | Flag for telling the malware to scan the files |
| ScanFilesPaths | List of extensions which malware needs to search in Current user Desktop and Document Folder |
| ScanGeckoBrowsersPaths | List of Gecko Browsers Path |
| ScanScreen | Flag for Capturing the Current Screen |
| ScanSteam | Flag for enabling Steam |
| ScanTelegram | Flag for Scan Telegram files for credentials. |
| ScanVPN | Flag for Scanning the VPN files for credentials. |
| ScanWallets | Flag for Scanning the various wallets present in the victim’s machine. |
Once the malware receives the response, it collects the data shown in Table 4 and sends it to TA C2.
| Tags | Description |
| City | The Victim City |
| Country | The Victim’s Country |
| File Location | The Full path from where the malware has been executed |
| Hardware | Victim’s Hardware Information |
| IPv4 | Public IP of the Victim |
| Language | The Victim’s OS language |
| MachineName | The Victim Machine Name |
| Monitor | The Screenshot of the current Window |
| OSVersion | Victim’s OS Details |
| AvailableLanguages | Supported languages by the OS |
| ScannedBrowser | Get the Details like Browser Name, Profile, CC, Cookies and Login Credentials. |
| FtpConnections | FTP details are present in the Victim machine |
| GameChatFiles | Chat Files of Games |
| GameLauncherFiles | Game Launcher Files List |
| InstalledBrowsers | Installed Browsers List |
| MessageClientFiles | MessagingClientFiles |
| Nord | NordVPN Credentials |
| Open | OpenVPN Credentials |
| Processes | List of Processes |
| ScannedFiles | Files found by the malware and uploaded on the C2 URL |
| ScannedWallets | Get the details of wallets available on the victim system. |
| SecurityUtils | Windows defender |
| Softwares | Software List |
| SystemHardwares | Details like RAM, Processor, Graphic Memory etc |
| ScreenSize | The Victim’s Screen Size |
| SeenBefore | New Victim or Old? |
| TimeZone | TimeZone of Victim |
| ZipCode | Pin/Zip Code of the Victim |
The Sample Packet which the malware has triggered to the C2 URL is shown in Figure 12.
The details shown in Tables 3 and 4 have subtags as well. These subtags include browser list, VPN supported list, etc. For example, in Table 5, we have shown the top 5 browsers supported by RedLine Stealer.
| Top 5 Browser List |
| Google Chrome |
| Opera |
| Chromium |
| 360Browser |
| Chromodo |
Conclusion
RedLine Stealer malware stands out in the stealer family because of its rich capabilities; the stealer payload has been used in multiple forms like crack tools and is available on the surface web. Also, the TA behind RedLine Stealer is active and selling this malware as a service.
Cyble Research Labs is continuously monitoring security threats, whether they are ongoing or emerging. We will continue to update our readers with our latest findings.
Our Recommendations
We have listed some of the essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the suggestions given below:
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic. 
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.   
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
- Conduct regular backup practices and keep those backups offline or in a separate network.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Initial Access | T1566 | Phishing |
| Execution | T1204 | User Execution |
| Credential Access | T1555 T1539 T1552 | Credentials from Password Stores Steal Web Session Cookie Unsecured Credentials |
| Collection | T1113 | Screen Capture |
| Discovery | T1087 T1518 T1057 T1124 T1007 T1614 T1120 | Account Discovery Software Discovery Process Discovery System Time Discovery System Service Discovery System Location Discovery Peripheral Device Discovery |
| Command and Control | T1571 T1095 | Non-Standard Port Non-Application Layer Protocol |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
Indicators of Compromise (IoCs):
| Indicators | Indicator type | Description |
| newlife957[.]duckdns[.]org[:]7225 | URL | C2 URL |
| 76ca4a8afe19ab46e2f7f364fb76a166ce62efc7cf191f0f1be5ffff7f443f1b | Hash | SHA-256 |
| 258445b5c086f67d1157c2998968bad83a64ca3bab88bfd9d73654819bb46463 | Hash | SHA-256 |
| 1741984cc5f9a62d34d180943658637523ac102db4a544bb6812be1e0507a348 | Hash | SHA-256 |
| ee4608483ebb8615dfe71924c5a6bc4b0f1a5d0eb8b453923b3f2ce5cd00784b | Hash | SHA-256 |
| 9dc934f7f22e493a1c1d97107edc85ccce4e1be155b2cc038be8d9a57b2e430f | Hash | SHA-256 |
About Us
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com. 
Comments are closed.