🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
Proactively monitor and defend against malware with CloudSEK XVigil Malware Logs module, ensuring the integrity of your digital assets
Schedule a DemoRedLine is an information stealer which operates on a MaaS (malware-as-a-service) model. This stealer is available on underground forums, priced according to users’ needs.
Like many stealer malware programs, developers of Redline do not provide crypters/loaders; it is up to the operator to choose one. Recently CloudSEK’s telemetry started picking up deployment of RedLine stealer via Regsvcs.exe on Windows systems. Using the process hollowing technique, the loader replaces the content of the Regsvcs.exe process, which is spawned in the suspended state. Following that event, RedLine PE (Portable Executable) gets mapped in the Regsvcs process and thread contexts are manipulated to point to the entry point of the stealer, thus allowing the malware to masquerade as a legitimate process on the system. This report covers the technical analysis of the RedLine stealer, which is written in C#/.NET and is a highly commonly available commodity malware on underground forums.
The RedLine stealer has a built-in configuration in the form of a class named Arguments, containing the following fields:
Field | Description |
---|---|
IP |
|
ID |
|
Message |
|
Key |
|
Version |
|
The encoding used by the malware involves base64 and XOR encoding schemes, in which:
The XOR encoding is used by the malware. Each character of the base64 decoded data is XORed with the result of the operation (each_key_char % key.Length).
RedLine commences the execution by first checking the region of the compromised victim.
The malware keeps a list of the CIS countries, wherein if the victim belongs to any country in the list the check fails and execution is terminated. This is a very common behavior seen in malware programs developed by adversaries who belong to CIS countries.
After the initial region check, the stealer fetches the C2 configuration from IP obtained via the built-in configuration. Details regarding the communication will be covered in the Communication section of this report.
The configuration dictates the behavior of the stealer. After receiving the configuration, the malware processes it and stores it in an object named settings.
File grabber configuration contains a directory path to check for the data followed by a pattern to find the data in the mentioned directories. In this case, the malware steals all the text files, documents, and files that have keys, wallets, and seeds as the substring.
Various applications are targeted to steal user data, including browsers, game launchers, and VPN applications.
Various crypto wallets are targeted by the stealer. The configuration contains the name of the wallet and the environment variable to search from the user data directory for the corresponding application.
The core functionality of the RedLine stealer is implemented in two classes: FullInfoSender and PartsSender. These are not interdependent. The malware instantiates only one class based on the version check of the malware. The stealer retrieves the version ID stored in the built-in configuration and FullInfoSender is executed by malware versions above 1. There is no functional difference between the two classes and both follow exactly the same logic.
Various methods implement the stealer. The additional capability, outside of the scope of FullInfoSender/PartsSender, is the command/payload execution provided by TaskResolver class which will be covered in the following sections.
The stealer has the capability to dynamically load DLLs (Dynamic Link Libraries) at runtime to perform various stealing activities. The Win32 APIs LoadLibraryA and GetProcAddress are defined using Pinvoke. Platform Invocation Services (P/Invoke) is a feature of Common Language Infrastructure (CLI) implementations that enables managed code to call native code. This helps the malware to load a specific DLL module in the memory and later resolve the address of a specific function inside the loaded DLL.
The dynamic loading of DLLs is seen at two places, one is inside a function used by the malware to read browser-specific stored data, and the other is inside a function that is responsible for taking a screenshot of the victim’s Desktop. The malware loads bcrypt.dll to perform various cryptographic operations on the browser data while performing data stealing.
The following functions in bcrypt.dll are resolved:
The malware loads gdi32.dll to perform image-related processing. This is a popular DLL abused by the stealer and other malware to perform a screen capture. The GetDeviceCaps function is resolved by the stealer.
Further information regarding the purpose behind the use of various functions addressed will be covered in the following sections.
The stealer uses Windows Management Instrumentation (WMI) to retrieve the system information of the victim. The following information is retrieved by the malware:
Based on the information gathered, a user profile is created and sent to C2.
The stealer is interested in the following data stored by the browser:
Like any stealer, RedLine performs the following operations to steal the data:
Critical Database Files Targeted by the Stealer | |
---|---|
Passwords | C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data |
AutoFills | C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data |
Credit Cards | C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data |
Cookies | C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies |
SQL queries are generated in order to fetch data from the database.
The stealer implements a dedicated class to process the Mozilla Firefox browser. Interestingly, only cookies are enumerated.
After parsing the C2 configuration, the value of Id10 field which has user Desktop and Documents directories followed by a search pattern is displayed. This information is used by the malware to search for files that match the pattern. It steals all the text and document files along with the ones having the pattern “key”, “wallet” and “seed”.
The following function implements the search. This function takes the Id10 values and calls the FileSearcher.Search method.
The C2 configuration contains a list of wallet application names for the stealer to look for, followed by directory details (%AppData%).
Wallets Targeted by the Stealer | ||||
---|---|---|---|---|
Armory | Atomic | Electrum | Ethereum | Exodus |
Binance | Coinomi | Guarda | Jaxx | Monero |
The method that performs the stealing checks the %AppData% directory for wallets mentioned in the C2 configuration. If found, the “wallet.dat” files are fetched and sent to C2.
The wallet extensions installed in browsers are also enumerated by the stealer. The stealer has a base64 encoded array that holds wallet browser extensions in the format “<extension_folder_id> | <extension_name> “. Critical data stored by the extensions are fetched and sent to C2.
Browser Extensions Targeted by the Stealer | ||||
---|---|---|---|---|
YoroiWallet | BitAppWallet | TonCrystal | Tronlink | AtomicWallet |
KardiaChain | NiftyWallet | TerraStation | Wombat | Phantom |
HarmonyWallet | Oxygen | MathWallet | Coin98Wallet | MewCx |
Coinbase | Authenticator | GuildWallet | BoltX | BinanceChain |
SaturnWallet | LiqualityWallet | BraveWallet | RoninWallet | XdefiWallet |
NamiWallet | EqualWallet | MaiarDeFiWallet | JaxxxLiberty | Coin98Wallet |
GuardaWallet | YoroiWallet | Metamask | PaliWallet | TempleWallet |
BitAppWallet | iWallet |
The stealer enumerates all *.log and *.db files in C:\Users\user\AppData\Roaming\discord\Local Storage\leveldb and looks for tokens using following regex pattern:
{ 2 4 } \ . { 6 } \ . { 2 7}
The RedLine stealer targets the Steam application by retrieving the path.
The stealer is interested in *ssfn*, *.config, and *.vdf files. The file paths are generated by instantiating the GameLauncher class. The files are then searched by calling FIleScanning.Search() method. The data is then sent to C2.
The stealer targets the following VPN applications:
While targeting the NordVPN:
While targeting OpenVPN and ProtonVPN, the stealer enumerates the respective directories and looks for .config data and .ovpn files.
RedLine stealer targets the FileZilla FTP application. It searches for two files on the victim system in AppData directory:
After fetching the path to the above-mentioned XML files, it parses and steals password and user information.
The stealer takes the screenshot of the user screen by performing the following operations:
RedLine stealer provides its operators with the ability to run additional payloads like RAT/beacons as tasks. The stealer retrieves the list of tasks from C2, usually a link to payload or an OS command.
The RedLine provides the following four functionalities to execute additional tasks on the compromised system.
This functionality lets the operator issue commands and execute them via cmd.exe.
This functionality lets the stealer download and execute the payload from the internet.
This functionality is “download-only” and it doesn’t execute the payload. To execute the payload, the execute-only feature needs to be used.
This functionality is “execute-only” and does not download any payload. This feature can be used after the download-only feature.
Endpoint | Description |
---|---|
id1 | None |
id2 | None |
id3 | user
Sends out user information to this endpoint |
id4 | user
Sends out user information to this endpoint |
id5 | display
Sends the screenshot of the victim’s screen to this endpoint |
id6 | defenders
Sends out list of AVs installed on the system to this endpoint |
id7 | languages
Sends out available languages on system to this endpoint |
id8 | softwares
Sends out list of installed programs on the system to this endpoint |
id9 | processes
Sends out list of running processes on the system to this endpoint |
id10 | hardwares
Sends out CPU/GPU/RAM data to this endpoint |
id11 | browsers
Sends out stolen user data from browsers to this endpoint |
id12 | ftps
Sends out data stolen from FileZilla application to this endpoint |
id13 | installedBrowsers
Sends out a list of installed browsers to this endpoint |
id14 | remoteFiles
Sends out file grabber data to this endpoint |
id15 | remoteFiles
Sends out file grabber data to this endpoint |
id16 | remoteFiles
Sends out file grabber data to this endpoint |
id17 | loginPairs
Sends out file grabber data to this endpoint |
id18 | remoteFiles
Sends out file grabber data to this endpoint |
id19 | remoteFiles
Sends out file grabber data to this endpoint |
id20 | remoteFiles
Sends out file grabber data to this endpoint |
id21 | remoteFiles
Sends out file grabber data to this endpoint |
id22 | None |
id23 | user
Sends out user information to this endpoint |
id24 | updateId
Task related data |
The following image demonstrates the endpoint communication.
Hashes | |
---|---|
6cc44d98ce2fb628b25519eb2aa476b81c1dca23b4c11fb3f26951bba8e68d64 | |
5be845902145831466d3b710541d2c5a53cfc50108126c8802b48226e89e1887 | |
1365e7708c818aa8a3cbed2a295ce2d585c654d80b78b1e5b3af9f30c654a4fa | |
7701ee20f7c99aadf95e31bf775bf1614f66aea3e9f03dfadf5ee247ab8eb29c | |
1d18b3c7e5845a5c5cf519471a7b6ee354f848764b7c64b6f3ec59d0e3492e9b | |
710b3f75954a006368d8ebff83e35a8c815f26bdf2b58d62e1a5ffdbc88cd20f | |
IPs | |
95.179.163.157 | 193.106.191.226 |
49.12.69.202 | 185.250.148.76 |
Domains | |
http://tempuri.org/Entity/Id<1-24> | santaanarealtor.icu |
Explore the escalating wave of cyber threats on platforms like Google Groups and Usenet, uncovering the pivotal role of cybersecurity in safeguarding online discussion forums.
Threat actors have been abusing advertisement services to serve malware to users and redirect traffic to websites purchasing services from them.
A detailed blog on Analysis of the Global Malware Trend: Exploiting Undocumented OAuth2 Functionality to Regenerate Google Service Cookies Regardless of IP or Password Reset.
Take action now
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.
Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.
Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.
Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.
min read
Technical Analysis of the RedLine Stealer
RedLine is an information stealer which operates on a MaaS (malware-as-a-service) model. This stealer is available on underground forums, priced according to users’ needs.
Like many stealer malware programs, developers of Redline do not provide crypters/loaders; it is up to the operator to choose one. Recently CloudSEK’s telemetry started picking up deployment of RedLine stealer via Regsvcs.exe on Windows systems. Using the process hollowing technique, the loader replaces the content of the Regsvcs.exe process, which is spawned in the suspended state. Following that event, RedLine PE (Portable Executable) gets mapped in the Regsvcs process and thread contexts are manipulated to point to the entry point of the stealer, thus allowing the malware to masquerade as a legitimate process on the system. This report covers the technical analysis of the RedLine stealer, which is written in C#/.NET and is a highly commonly available commodity malware on underground forums.
The RedLine stealer has a built-in configuration in the form of a class named Arguments, containing the following fields:
Field | Description |
---|---|
IP |
|
ID |
|
Message |
|
Key |
|
Version |
|
The encoding used by the malware involves base64 and XOR encoding schemes, in which:
The XOR encoding is used by the malware. Each character of the base64 decoded data is XORed with the result of the operation (each_key_char % key.Length).
RedLine commences the execution by first checking the region of the compromised victim.
The malware keeps a list of the CIS countries, wherein if the victim belongs to any country in the list the check fails and execution is terminated. This is a very common behavior seen in malware programs developed by adversaries who belong to CIS countries.
After the initial region check, the stealer fetches the C2 configuration from IP obtained via the built-in configuration. Details regarding the communication will be covered in the Communication section of this report.
The configuration dictates the behavior of the stealer. After receiving the configuration, the malware processes it and stores it in an object named settings.
File grabber configuration contains a directory path to check for the data followed by a pattern to find the data in the mentioned directories. In this case, the malware steals all the text files, documents, and files that have keys, wallets, and seeds as the substring.
Various applications are targeted to steal user data, including browsers, game launchers, and VPN applications.
Various crypto wallets are targeted by the stealer. The configuration contains the name of the wallet and the environment variable to search from the user data directory for the corresponding application.
The core functionality of the RedLine stealer is implemented in two classes: FullInfoSender and PartsSender. These are not interdependent. The malware instantiates only one class based on the version check of the malware. The stealer retrieves the version ID stored in the built-in configuration and FullInfoSender is executed by malware versions above 1. There is no functional difference between the two classes and both follow exactly the same logic.
Various methods implement the stealer. The additional capability, outside of the scope of FullInfoSender/PartsSender, is the command/payload execution provided by TaskResolver class which will be covered in the following sections.
The stealer has the capability to dynamically load DLLs (Dynamic Link Libraries) at runtime to perform various stealing activities. The Win32 APIs LoadLibraryA and GetProcAddress are defined using Pinvoke. Platform Invocation Services (P/Invoke) is a feature of Common Language Infrastructure (CLI) implementations that enables managed code to call native code. This helps the malware to load a specific DLL module in the memory and later resolve the address of a specific function inside the loaded DLL.
The dynamic loading of DLLs is seen at two places, one is inside a function used by the malware to read browser-specific stored data, and the other is inside a function that is responsible for taking a screenshot of the victim’s Desktop. The malware loads bcrypt.dll to perform various cryptographic operations on the browser data while performing data stealing.
The following functions in bcrypt.dll are resolved:
The malware loads gdi32.dll to perform image-related processing. This is a popular DLL abused by the stealer and other malware to perform a screen capture. The GetDeviceCaps function is resolved by the stealer.
Further information regarding the purpose behind the use of various functions addressed will be covered in the following sections.
The stealer uses Windows Management Instrumentation (WMI) to retrieve the system information of the victim. The following information is retrieved by the malware:
Based on the information gathered, a user profile is created and sent to C2.
The stealer is interested in the following data stored by the browser:
Like any stealer, RedLine performs the following operations to steal the data:
Critical Database Files Targeted by the Stealer | |
---|---|
Passwords | C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data |
AutoFills | C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data |
Credit Cards | C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data |
Cookies | C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies |
SQL queries are generated in order to fetch data from the database.
The stealer implements a dedicated class to process the Mozilla Firefox browser. Interestingly, only cookies are enumerated.
After parsing the C2 configuration, the value of Id10 field which has user Desktop and Documents directories followed by a search pattern is displayed. This information is used by the malware to search for files that match the pattern. It steals all the text and document files along with the ones having the pattern “key”, “wallet” and “seed”.
The following function implements the search. This function takes the Id10 values and calls the FileSearcher.Search method.
The C2 configuration contains a list of wallet application names for the stealer to look for, followed by directory details (%AppData%).
Wallets Targeted by the Stealer | ||||
---|---|---|---|---|
Armory | Atomic | Electrum | Ethereum | Exodus |
Binance | Coinomi | Guarda | Jaxx | Monero |
The method that performs the stealing checks the %AppData% directory for wallets mentioned in the C2 configuration. If found, the “wallet.dat” files are fetched and sent to C2.
The wallet extensions installed in browsers are also enumerated by the stealer. The stealer has a base64 encoded array that holds wallet browser extensions in the format “<extension_folder_id> | <extension_name> “. Critical data stored by the extensions are fetched and sent to C2.
Browser Extensions Targeted by the Stealer | ||||
---|---|---|---|---|
YoroiWallet | BitAppWallet | TonCrystal | Tronlink | AtomicWallet |
KardiaChain | NiftyWallet | TerraStation | Wombat | Phantom |
HarmonyWallet | Oxygen | MathWallet | Coin98Wallet | MewCx |
Coinbase | Authenticator | GuildWallet | BoltX | BinanceChain |
SaturnWallet | LiqualityWallet | BraveWallet | RoninWallet | XdefiWallet |
NamiWallet | EqualWallet | MaiarDeFiWallet | JaxxxLiberty | Coin98Wallet |
GuardaWallet | YoroiWallet | Metamask | PaliWallet | TempleWallet |
BitAppWallet | iWallet |
The stealer enumerates all *.log and *.db files in C:\Users\user\AppData\Roaming\discord\Local Storage\leveldb and looks for tokens using following regex pattern:
{ 2 4 } \ . { 6 } \ . { 2 7}
The RedLine stealer targets the Steam application by retrieving the path.
The stealer is interested in *ssfn*, *.config, and *.vdf files. The file paths are generated by instantiating the GameLauncher class. The files are then searched by calling FIleScanning.Search() method. The data is then sent to C2.
The stealer targets the following VPN applications:
While targeting the NordVPN:
While targeting OpenVPN and ProtonVPN, the stealer enumerates the respective directories and looks for .config data and .ovpn files.
RedLine stealer targets the FileZilla FTP application. It searches for two files on the victim system in AppData directory:
After fetching the path to the above-mentioned XML files, it parses and steals password and user information.
The stealer takes the screenshot of the user screen by performing the following operations:
RedLine stealer provides its operators with the ability to run additional payloads like RAT/beacons as tasks. The stealer retrieves the list of tasks from C2, usually a link to payload or an OS command.
The RedLine provides the following four functionalities to execute additional tasks on the compromised system.
This functionality lets the operator issue commands and execute them via cmd.exe.
This functionality lets the stealer download and execute the payload from the internet.
This functionality is “download-only” and it doesn’t execute the payload. To execute the payload, the execute-only feature needs to be used.
This functionality is “execute-only” and does not download any payload. This feature can be used after the download-only feature.
Endpoint | Description |
---|---|
id1 | None |
id2 | None |
id3 | user
Sends out user information to this endpoint |
id4 | user
Sends out user information to this endpoint |
id5 | display
Sends the screenshot of the victim’s screen to this endpoint |
id6 | defenders
Sends out list of AVs installed on the system to this endpoint |
id7 | languages
Sends out available languages on system to this endpoint |
id8 | softwares
Sends out list of installed programs on the system to this endpoint |
id9 | processes
Sends out list of running processes on the system to this endpoint |
id10 | hardwares
Sends out CPU/GPU/RAM data to this endpoint |
id11 | browsers
Sends out stolen user data from browsers to this endpoint |
id12 | ftps
Sends out data stolen from FileZilla application to this endpoint |
id13 | installedBrowsers
Sends out a list of installed browsers to this endpoint |
id14 | remoteFiles
Sends out file grabber data to this endpoint |
id15 | remoteFiles
Sends out file grabber data to this endpoint |
id16 | remoteFiles
Sends out file grabber data to this endpoint |
id17 | loginPairs
Sends out file grabber data to this endpoint |
id18 | remoteFiles
Sends out file grabber data to this endpoint |
id19 | remoteFiles
Sends out file grabber data to this endpoint |
id20 | remoteFiles
Sends out file grabber data to this endpoint |
id21 | remoteFiles
Sends out file grabber data to this endpoint |
id22 | None |
id23 | user
Sends out user information to this endpoint |
id24 | updateId
Task related data |
The following image demonstrates the endpoint communication.
Hashes | |
---|---|
6cc44d98ce2fb628b25519eb2aa476b81c1dca23b4c11fb3f26951bba8e68d64 | |
5be845902145831466d3b710541d2c5a53cfc50108126c8802b48226e89e1887 | |
1365e7708c818aa8a3cbed2a295ce2d585c654d80b78b1e5b3af9f30c654a4fa | |
7701ee20f7c99aadf95e31bf775bf1614f66aea3e9f03dfadf5ee247ab8eb29c | |
1d18b3c7e5845a5c5cf519471a7b6ee354f848764b7c64b6f3ec59d0e3492e9b | |
710b3f75954a006368d8ebff83e35a8c815f26bdf2b58d62e1a5ffdbc88cd20f | |
IPs | |
95.179.163.157 | 193.106.191.226 |
49.12.69.202 | 185.250.148.76 |
Domains | |
http://tempuri.org/Entity/Id<1-24> | santaanarealtor.icu |