Throughout the entire early May 2023, GridinSoft analysts team observed an anomalous activity of RedLine stealer. It is, actually, an activity different from what we used to know. Over 100,000 samples of this malware appeared through the first 12 days of the month – that is too much even for more massive threats. Needless to say for stealer malware such a massive outbreak is confusing, to say the least.
What is RedLine malware?
First, let me remind you what RedLine is. It is a classic infostealer that targets cryptocurrency wallet credentials, browser AutoFill forms, cookies, and credentials from other applications. The most common way of spreading this malware is spear phishing, which contains infected files and phishing links. Another option used by malware masters recently is malvertising through Google Search ads. The latter supposes the creation of a website that replicates the downloading page of a legit free software – like 7zip, OBS Studio or LibreOffice.
Emerged in early 2020, RedLine had moderate activity throughout its lifespan. The first noticeable activity happened only half a year after the first sample detection – meaning its developers were raising their malware from scratch. But now it made an enormous spike, that peaked on May 7 – over 39,000 samples emerged that day.
What does that mean?
Actually, almost a hundred thousand samples do not correspond to 100,000 victims. RedLine malware toolkit offers sample recompilation and its developers recommend compiling a fresh sample for each attack. That makes every malware unit unique, which makes it way harder to detect by classic anti-virus programs. Encrypting utility, which is also recommended by the malware developers to use, makes it even tougher.
Sure, some of these samples are definitely used in ongoing attacks. RedLine bears on continuous operations and botnet expansions, which requires retaining high infection rates. “Background” activity of this malware is about 1,500 samples a day – meaning most of them are used in actual attacks. Meanwhile, no huge infection spikes were detected recently, at least not of the scale of the sample generation.
The most concerning hypothesis is that RedLine is getting ready for a massive attack. How will this attack be conducted – this is about to be guessed or seen, yet cybercriminals rarely betray their “classic” spreading ways. Email spam, especially precision-made ones, remains very effective and exceptionally cheap – so why would they reinvent the bicycle?
Another possible occasion is way less dramatic, yet does not mean that the threat is over. Such a massive sample generation may be an outcome of some tests – for example, ones done to test the compiler, crypto, or other mechanism. Neither me nor any other analyst can know for sure what exactly they test, but these changes may have qualitative differences. The best way to understand what that means is to spectate, fortunately, these maneuvers do not disrupt threat intelligence in any way.
IoC RedLine Stealer
- Spy.Win32.Redline.lu!heur: 86bf4d7ec1c3051e551fbb67851a92a57eafc63c2a3ffa7eff6f2bfd3aeaf090
- Malware.Win32.RedLine.bot: ab5a370e1c1cdd0ba63dbcc96dad0683ba99bf8714b4ee1bcf3dae4155461fec
- Spy.Win32.Redline.lu!heur: ee55b8cdb9ccdaf77038f607915be87182334677f6efd2275c662e4a62606f35
- Spy.Win32.Redline.lu!heur: 15c4e65f1553b52ee1a61f058801d36d9aca524966b2e54db48c6be860669a9b
- Spy.Win32.Redline.lu!heur: af3432152c514465fb36f13137bae3206443814e6398ebe72ca129d56edcd08d
- Spy.Win32.Redline.lu!heur: 0dc3f6ae47530d181c92ede69b4ff8102fbf188ecb815df5d76a84f2c4e308b8
- Spy.Win32.Redline.lu!heur: 6e053efaafd44585f10e99ae9c0f71fb6ab84964fe1a23c30dcbb8423e83a549
- Spy.Win32.Redline.lu!heur: c2d438cc08719cace3e5f16279b2ac3c157f77ceb088dc2652879e994845b893
- Spy.Win32.Redline.lu!heur: e178781138199b0e5dd1210a53b0c54a8c7a036ebaf94371f681a05e3e0bddfc
- Spy.Win32.Redline.lu!heur: 00068de8a4a11fb2c1703836cac25084ea7707e99a1ea808d38402971edc7163
How to stay protected?
I’ve already mentioned preferred spreading ways that RedLine has used since its emergence in 2020. Protective measures should be built around counteracting these methods. And, of course, as the last line of defense, there should be anti-malware software.
Perform a diligent check for each email you receive. It may look like a too paranoid measure for messages, but be aware – it is not about “just emails”. The number of cyberattacks on companies of all sizes done through email spam is terrifying, thus such a threat should not be ignored. Any questionable attachment, link, or strange email address of a sender is a red flag.
Use network monitoring tools. Both active and passive will fit, as RedLine does not apply complicated anti-detection methods. Still, it tries to spoof the traffic path during the C2 communication – and here is where protective solutions shine. Firewalls are much cheaper and easier to set up, but lack reactive response capabilities. Meanwhile, NDR solutions trade their complexity and expense for the ability to intercept even the most novice threats.
Anti-malware software – the last argument of kings. The ideal network security situation is preventing malware from making its way to the live workstation. Though idealism is sometimes synonymous with naivety. For that reason, a thing to back up your security is essential, both if you’re a home user or are connected to the corporate LAN. GridinSoft Anti-Malware is a great choice for home protection, though it will be better to seek a specialized option to protect an entire network.