Technical Analysis of the RedLine Stealer

Redline Stealer _ ClouDSEK
  • Author: Anandeshwar Unnikrishnan
  • Editor: Suchita Katira

Summary

RedLine is an information stealer which operates on a MaaS (malware-as-a-service) model. This stealer is available on underground forums, priced according to users’ needs.

Like many stealer malware programs, developers of Redline do not provide crypters/loaders; it is up to the operator to choose one. Recently CloudSEK’s telemetry started picking up deployment of RedLine stealer via Regsvcs.exe on Windows systems. Using the process hollowing technique, the loader replaces the content of the Regsvcs.exe process, which is spawned in the suspended state. Following that event, RedLine PE (Portable Executable) gets mapped in the Regsvcs process and thread contexts are manipulated to point to the entry point of the stealer, thus allowing the malware to masquerade as a legitimate process on the system. This report covers the technical analysis of the RedLine stealer, which is written in C#/.NET and is a highly commonly available commodity malware on underground forums.

Features of the Stealer

  • Steals user data such as credit card information, login data, and auto-fills from the installed browsers.
  • Targets user files in the Desktop and Documents directories of the victim’s PC. The file grabber specifically looks for crypto-related data like wallets and seed-related files.
  • Information stored in the wallets is targeted and stolen by the malware, which targets 10 crypto wallets and more than 40 wallet browser extensions.
  • Captures a screenshot of the victim’s desktop.
  • Steals user-specific data stored by the FileZilla FTP application and VPN applications installed on the target system.
  • Collects Discord tokens and steals user-specific data stored in the Steam application.
  • Capable of executing commands and additional payloads on compromised systems.

Built-In Configuration

The RedLine stealer has a built-in configuration in the form of a class named Arguments, containing the following fields:

Field Description
IP
  • C2 IP and port used for communication.
  • Protected by a custom encoding scheme.
ID
  • Victim-specific ID used to identify a campaign.
  • Protected by a custom encoding scheme.
Message
  • Used in the popup window (covered in the later sections).
  • Protected by a custom encoding scheme.
Key
  • Used for decoding the data.
Version
  • Malware version, used to instantiate the core stealer class.
Built-in configuration used by the stealer
Built-in configuration used by the stealer

 

The encoding used by the malware involves base64 and XOR encoding schemes, in which:

  • The base64 decoded data is given to the XOR decoding method.
  • Then the XOR decoded data is again given to the base64 decoding method.
  • The final base64 decoded data is the readable data used by the malware for C2 communication.
Decoding method used to decode the configuration
Decoding method used to decode the configuration

 

The XOR encoding is used by the malware. Each character of the base64 decoded data is XORed with the result of the operation (each_key_char % key.Length).

Custom XOR decoding
Custom XOR decoding

 

Region Check

RedLine commences the execution by first checking the region of the compromised victim.

Region check function in RedLine stealer
Region check function in RedLine stealer

 

The malware keeps a list of the CIS countries, wherein if the victim belongs to any country in the list the check fails and execution is terminated. This is a very common behavior seen in malware programs developed by adversaries who belong to CIS countries.

Excluded Regions from infection
Excluded Regions from infection

C2 Configuration

After the initial region check, the stealer fetches the C2 configuration from IP obtained via the built-in configuration. Details regarding the communication will be covered in the Communication section of this report.

Configuration fetched from C2
Configuration fetched from C2

 

The configuration dictates the behavior of the stealer. After receiving the configuration, the malware processes it and stores it in an object named settings.

Parsed C2 configuration
Parsed C2 configuration

 

File grabber configuration contains a directory path to check for the data followed by a pattern to find the data in the mentioned directories. In this case, the malware steals all the text files, documents, and files that have keys, wallets, and seeds as the substring.

File grabber configuration
File grabber configuration

 

Various applications are targeted to steal user data, including browsers, game launchers, and VPN applications.

Applications targeted by RedLine
Applications targeted by RedLine

 

Applications targeted by RedLine
Applications targeted by RedLine

 

Various crypto wallets are targeted by the stealer. The configuration contains the name of the wallet and the environment variable to search from the user data directory for the corresponding application.

Targeted crypto wallet applications
Targeted crypto wallet applications

Instantiating the Stealer

The core functionality of the RedLine stealer is implemented in two classes: FullInfoSender and PartsSender. These are not interdependent. The malware instantiates only one class based on the version check of the malware. The stealer retrieves the version ID stored in the built-in configuration and FullInfoSender is executed by malware versions above 1. There is no functional difference between the two classes and both follow exactly the same logic.

Classes that implement stealer functions
Classes that implement stealer functions

 

Various methods implement the stealer. The additional capability, outside of the scope of FullInfoSender/PartsSender, is the command/payload execution provided by TaskResolver class which will be covered in the following sections.

 

Methods implemented by class FullInfoSende
Methods implemented by class FullInfoSende

Data Stealing

Run Time Dynamic Linking

The stealer has the capability to dynamically load DLLs (Dynamic Link Libraries) at runtime to perform various stealing activities. The Win32 APIs LoadLibraryA and GetProcAddress are defined using Pinvoke. Platform Invocation Services (P/Invoke) is a feature of Common Language Infrastructure (CLI) implementations that enables managed code to call native code. This helps the malware to load a specific DLL module in the memory and later resolve the address of a specific function inside the loaded DLL.

Pinvoke: LoadLibrary and GetProcAddress for run-time dynamic linking
Pinvoke: LoadLibrary and GetProcAddress for run-time dynamic linking

 

The dynamic loading of DLLs is seen at two places, one is inside a function used by the malware to read browser-specific stored data, and the other is inside a function that is responsible for taking a screenshot of the victim’s Desktop. The malware loads bcrypt.dll to perform various cryptographic operations on the browser data while performing data stealing.

The following functions in bcrypt.dll are resolved:

  • BcryptOpenAlgorithmProvider
  • BcryptCloseAlgorithmProvider
  • BcryptDecrypt
  • BcryptDestroyKey
  • BcryptGetProperty
  • BcryptSetProperty
  • BcryptImportKey
Loading of bcrypt.dll
Loading of bcrypt.dll

 

The malware loads gdi32.dll to perform image-related processing. This is a popular DLL abused by the stealer and other malware to perform a screen capture. The GetDeviceCaps function is resolved by the stealer.

Loading of gdi32.dll
Loading of gdi32.dll

 

Further information regarding the purpose behind the use of various functions addressed will be covered in the following sections.

System Information

The stealer uses Windows Management Instrumentation (WMI) to retrieve the system information of the victim. The following information is retrieved by the malware:

  • Username
  • Monitor size
  • Input languages and Windows version
  • Processor, GPU, and Memory information
  • Installed browsers
  • Installed programs
  • Installed AntiVirus solutions
  • Running Processes
  • Available Languages

Based on the information gathered, a user profile is created and sent to C2.

User profile sent to C2
User profile sent to C2

 

Browser Data

The stealer is interested in the following data stored by the browser:

  • Cookies
  • AutoFills
  • Stored passwords
  • Stored credit card information

Like any stealer, RedLine performs the following operations to steal the data:

  • Retrieves the target SQL database file stored by the browser.
Critical Database Files Targeted by the Stealer
Passwords C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
AutoFills C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Credit Cards C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Cookies C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
  • Steals the decryption key stored in the “Local State” file of the browser which is used to protect data stored in databases mentioned in the User Data directory.
  • Malware then proceeds to open the database and decrypts the data.
  • The data is then sent back to C2.
Methods to steal browser data
Methods to steal browser data

SQL queries are generated in order to fetch data from the database.

Module implementing database interaction and SQL command generation
Module implementing database interaction and SQL command generation

 

The stealer implements a dedicated class to process the Mozilla Firefox browser. Interestingly, only cookies are enumerated.

Mozilla stealer methods for Firefox
Mozilla stealer methods for Firefox

 

File Grabber

After parsing the C2 configuration, the value of Id10 field which has user Desktop and Documents directories followed by a search pattern is displayed. This information is used by the malware to search for files that match the pattern. It steals all the text and document files along with the ones having the pattern “key”, “wallet” and “seed”.

File grabber configuration
File grabber configuration

 

The following function implements the search. This function takes the Id10 values and calls the FileSearcher.Search method.

Method implementing file grabber
Method implementing file grabber

 

Wallets and Extensions

The C2 configuration contains a list of wallet application names for the stealer to look for, followed by directory details (%AppData%).

Wallets Targeted by the Stealer
Armory Atomic Electrum Ethereum Exodus
Binance Coinomi Guarda Jaxx Monero

The method that performs the stealing checks the %AppData% directory for wallets mentioned in the C2 configuration. If found, the “wallet.dat” files are fetched and sent to C2.

The method that generates directory path for wallet stealing
The method that generates directory path for wallet stealing

 

The wallet extensions installed in browsers are also enumerated by the stealer. The stealer has a base64 encoded array that holds wallet browser extensions in the format “<extension_folder_id> | <extension_name> “. Critical data stored by the extensions are fetched and sent to C2.

Base64 encoded wallet browser extension names and folder name
Base64 encoded wallet browser extension names and folder name

 

Browser Extensions Targeted by the Stealer
YoroiWallet BitAppWallet TonCrystal Tronlink AtomicWallet
KardiaChain NiftyWallet TerraStation Wombat Phantom
HarmonyWallet Oxygen MathWallet Coin98Wallet MewCx
Coinbase Authenticator GuildWallet BoltX BinanceChain
SaturnWallet LiqualityWallet BraveWallet RoninWallet XdefiWallet
NamiWallet EqualWallet MaiarDeFiWallet JaxxxLiberty Coin98Wallet
GuardaWallet YoroiWallet Metamask PaliWallet TempleWallet
BitAppWallet iWallet

Discord

The stealer enumerates all *.log and *.db files in C:\Users\user\AppData\Roaming\discord\Local Storage\leveldb and looks for tokens using following regex pattern:

{ 2 4 } \ . { 6 } \ . { 2 7}

GameLaunchers

The RedLine stealer targets the Steam application by retrieving the path.

Malware checking for Steam installation
Malware checking for Steam installation

 

The stealer is interested in *ssfn*, *.config, and *.vdf files. The file paths are generated by instantiating the GameLauncher class. The files are then searched by calling FIleScanning.Search() method. The data is then sent to C2.

Method implementing GameLauncher data stealing
Method implementing GameLauncher data stealing

 

VPN

The stealer targets the following VPN applications:

  • NordVPN
  • OpenVPN
  • ProtonVPN

While targeting the NordVPN:

  • The stealer retrieves the path C:\Users\user\AppData\Local\NordVPN
  • Enumerates “user.config” (xml) files in NordVPN.exe* directories.
  • Opens the user config file and looks for following nodes
    • / / setting / value
    • / / setting / value
  • The retrieved data is decoded and sent to C2.
Nord VPN user configuration stealing
Nord VPN user configuration stealing

 

While targeting OpenVPN and ProtonVPN, the stealer enumerates the respective directories and looks for .config data and .ovpn files.

FTP Applications

RedLine stealer targets the FileZilla FTP application. It searches for two files on the victim system in AppData directory:

  • sitemanager.xml
  • recentservers.xml

After fetching the path to the above-mentioned XML files, it parses and steals password and user information.

RedLine stealing data from FileZilla configuration file
RedLine stealing data from FileZilla configuration file

 

ScreenGrab

The stealer takes the screenshot of the user screen by performing the following operations:

  • The screen size is calculated by retrieving the scale factor. In the process of calculation, the stealer loads gdi32.dll into memory and uses GetDeviceCaps function to get the number of bits per pixel.
  • After calculating the monitor size, the screen capture process involves some image processing which is beyond the scope of this report. Finally, the captured image is exported as .png. This data is then sent to C2.
Storing the screenshot image as png
Storing the screenshot image as png

 

Task Execution

RedLine stealer provides its operators with the ability to run additional payloads like RAT/beacons as tasks. The stealer retrieves the list of tasks from C2, usually a link to payload or an OS command.

Task configuration check and task execution
Task configuration check and task execution

 

The RedLine provides the following four functionalities to execute additional tasks on the compromised system.

  • Command execution via cmd

This functionality lets the operator issue commands and execute them via cmd.exe.

Task command execution via cmd.exe
Task command execution via cmd.exe

 

  • Download and execute payload

This functionality lets the stealer download and execute the payload from the internet.

Payload download and execution
Payload download and execution

 

  • Download-only Feature

This functionality is “download-only” and it doesn’t execute the payload. To execute the payload, the execute-only feature needs to be used.

Download-only task execution
Download-only task execution

 

  • Execute-only Feature

This functionality is “execute-only” and does not download any payload. This feature can be used after the download-only feature.

Execute-only task execution
Execute-only task execution

 

Communication

  • The stealer uses http//tempuri[.]org/Entity/Id<1-24> as command and control. The domain is set in such a way that visitors are redirected to bing.com if proper parameters are not provided.
  • Id parameter is used to distinguish various types of data sent by the malware to C2. A summary of the different parameters and their significance is given in the following table.
Endpoint Description
id1 None
id2 None
id3 user

Sends out user information to this endpoint

id4 user

Sends out user information to this endpoint

id5 display

Sends the screenshot of the victim’s screen to this endpoint

id6 defenders

Sends out list of AVs installed on the system to this endpoint

id7 languages

Sends out available languages on system to this endpoint

id8 softwares

Sends out list of installed programs on the system to this endpoint

id9 processes

Sends out list of running processes on the system to this endpoint

id10 hardwares

Sends out CPU/GPU/RAM data to this endpoint

id11 browsers

Sends out stolen user data from browsers to this endpoint

id12 ftps

Sends out data stolen from FileZilla application to this endpoint

id13 installedBrowsers

Sends out a list of installed browsers to this endpoint

id14 remoteFiles

Sends out file grabber data to this endpoint

id15 remoteFiles

Sends out file grabber data to this endpoint

id16 remoteFiles

Sends out file grabber data to this endpoint

id17 loginPairs

Sends out file grabber data to this endpoint

id18 remoteFiles

Sends out file grabber data to this endpoint

id19 remoteFiles

Sends out file grabber data to this endpoint

id20 remoteFiles

Sends out file grabber data to this endpoint

id21 remoteFiles

Sends out file grabber data to this endpoint

id22 None
id23 user

Sends out user information to this endpoint

id24 updateId

Task related data

The following image demonstrates the endpoint communication.

RedLine sending list of AV solutions installed on the compromised system to C2 endpoint id6
RedLine sending list of AV solutions installed on the compromised system to C2 endpoint id6

 

Indicators of Compromise (IoCs)

Hashes
6cc44d98ce2fb628b25519eb2aa476b81c1dca23b4c11fb3f26951bba8e68d64
5be845902145831466d3b710541d2c5a53cfc50108126c8802b48226e89e1887
1365e7708c818aa8a3cbed2a295ce2d585c654d80b78b1e5b3af9f30c654a4fa
7701ee20f7c99aadf95e31bf775bf1614f66aea3e9f03dfadf5ee247ab8eb29c
1d18b3c7e5845a5c5cf519471a7b6ee354f848764b7c64b6f3ec59d0e3492e9b
710b3f75954a006368d8ebff83e35a8c815f26bdf2b58d62e1a5ffdbc88cd20f
IPs
95.179.163.157 193.106.191.226
49.12.69.202 185.250.148.76
Domains
http://tempuri.org/Entity/Id<1-24> santaanarealtor.icu
Anandeshwar Unnikrishnan
Threat Intelligence Researcher , CloudSEK
Anandeshwar is a Threat Intelligence Researcher at CloudSEK. He is a strong advocate of offensive cybersecurity. He is fuelled by his passion for cyber threats in a global context. He dedicates much of his time on Try Hack Me/ Hack The Box/ Offensive Security Playground. He believes that “a strong mind starts with a strong body.” When he is not gymming, he finds time to nurture his passion for teaching. He also likes to travel and experience new cultures.
Total Posts: 0
Sorry! The Author has not filled his profile.
×
Anandeshwar Unnikrishnan
Threat Intelligence Researcher , CloudSEK
Anandeshwar is a Threat Intelligence Researcher at CloudSEK. He is a strong advocate of offensive cybersecurity. He is fuelled by his passion for cyber threats in a global context. He dedicates much of his time on Try Hack Me/ Hack The Box/ Offensive Security Playground. He believes that “a strong mind starts with a strong body.” When he is not gymming, he finds time to nurture his passion for teaching. He also likes to travel and experience new cultures.
Latest Posts
  • Redline Stealer _ ClouDSEK
  • CloudSEK BlueSky Ransomware
  • Technical Analysis of MedusaLocker Ransomware
  • Recordbreaker: The Resurgence of Raccoon