RedLine Explained in 2023

RedLine is one of the most widespread banking stealers, known for exploiting various spreading methods.

You may be interested in taking a look at our other antivirus tools:
Trojan Killer, Trojan Scanner.

RedLine Stealer | Gridinsoft

What is RedLine?

March 13, 2023

Only a few things will reach the top of charts – that rule works for pretty much everything. Malware is not an exclusion, and RedLine stealer shows what is a real difference between ordinary and advanced malware examples.

RedLine is a stealer malware that aims primarily at banking credentials, but being capable of extracting other information as well. Its key focus is hacking the victims’ web browsers in order to gather account information, AutoFill data and any other valuable things that may be located. Convenient controls together with built-in anti-detection and anti-analysis features made RedLine one of the most popular and prolific stealers present on the market. Another notable thing regarding RedLine stealer is its spreading ways that differ from regular propagation through email spam.

RedLine samples

First mentions of this stealer are dated back in early 2020, but the first notable spike of activity happened only a half year later. It is spread under Malware-as-a-service model, primarily through advertisements in Telegram messenger groups. Subscription plans differ from $100 for one week to $800 for lifetime “licence” for RedLine. Sample is supplied along with a crypter – a specific software used to encipher malware sample before deploying it in the wild. That procedure decreases the chance of detection and complicates analysis attempts.

Redline Telegram post
Bot that RedLine developers use to sell and promote their malware

RedLine malware spreading

Above we mentioned that RedLine applies some unique ways of self-propagation, different from what is considered usual these days. Email spamming is both effective and cheap, but attracts too much attention. Crooks who spread this malware have their own options, despite applying spam in certain cases. And it seems they mastered their approaches well enough to overtake all competitors.

Spam in social media

Social network accounts, especially ones that belong to celebrities or well-known organisations, are generally trusted by their subscribers. Facebook, Twitter, Instagram – any social media accessible from PC will fit, the key point is to find accounts that have the most trust. Social engineering, or preceding malware injection supplies hackers with account’s credentials, and here the show starts.

Crooks that use this method to spread RedLine rarely fall into obvious spam that may easily be recognised. Instead, they try to look convincingly enough with banners that include details about the organisation or a person, and are related to their usual business. For example, using an ISP provider’s account hackers made a post with a link that led to RedLine downloading, which promoted free Adobe software. It is something people may expect from a provider and appreciate such care about their clients – and thus will eat the bait.

Redline Telegram post
Post from the hijacked account of Brazilian ISP that contained a link to RedLine downloading

Dropper malware

Dropper, or downloader, is a kind of malware used to deliver other malware to the infected computer. Extensive networks of computers that are running a dropper are offered widely in the Darknet, so anyone can pay for uploading their malware to these PCs. RedLine masters do not disdain this way of spreading, as it is proven to be pretty efficient. The problems may appear if the network is “used”, i.e. a lot of other malware was already delivered, and most of the valuable information is likely to be already extracted.

RedLine is sometimes applied as an “instant” payload of droppers. That happens when hackers seek to get into the system as stealthy as possible, and then, after gaining initial access, deploy their own lineup of malicious programs. That typically happens with SmokeLoader backdoor, which is in turn often delivered along with STOP/Djvu ransomware. Besides that, samples of this malware delivered by a dropper seriously distinct from ones delivered in a different way.

Google Search malvertising

Google is considered a trustworthy advertising platform, where both users and advertisers may be confident about what they see and click. But as the saying goes, never say never. Recent events with massive flow of malicious ads in Google Search results became a very potent method of malware spreading. That is not the first case when something malicious slips into Google ads, but the scale of a current case is unprecedented. Most often, these sites replicate the websites of free software developers, or the official pages for downloading some auxiliary software, like drivers or toolkits.

Typical example of Google search ads flooded by malicious links
Typical example of Google search ads flooded by malicious links

Malware in this case is masked as a legit software pack – a ZIP archive. The one’s name resembles what the victim is supposed to download, lulling its attention. At the same time, the sample within this archive is bloated with null sections, thus it will exceed the size limit of certain sandboxes and anti-malware software. However, it retains all the functionality of a regular RedLine sample, and is ready to mischief as usual after the unpacking.

RedLine Stealer Analysis

First and foremost, let’s have a look at the way RedLine is unfolding after being delivered to the target system. Above we mentioned the “cryptor”, used to protect malware strings before they are actually launched. Together with obfuscation and unique packing for each sample, this encryption tool makes the sample quite tough to detect, despite relative ease of its analysis. Being based on C# RedLine is not very complicated for reverse engineering tools, and thus reverting the compiler job and seeing the code is not a hard task.

One distinctive feature of RedLine compared to other malware is the form it arrives at. It is a binary file that contains a wide selection of junk code, which confuses anti-malware detection. Actual payload is contained within a .cab file, encrypted with RC4 and placed among the section of a mentioned binary. Three files from this archive are the actual payload, script that launches it, and a script. The latter checks the environment for the presence of running processes of anti-malware software. First of other things, this script is getting launched, and if it detects the presence of defined anti-malware programs, further execution is cancelled. But when the check goes smoothly, it simply passes the execution to an actual payload.

RedLine decryption script
RedLine decryption string

To run itself, malware bears on a loader; last versions of RedLine use AutoIt script attached to the main payload, but nothing stops it from using any other variant of shell code. This obfuscated script is needed to decrypt malware strings, create facilities for further malware execution and make the payload run. To store all the contents of the .cab archive we mentioned above, it creates a folder in the Users/Temp directory. It also copies an ntdll.dll library, renames it and adds to this folder as well; all further calls to this library will go to this instance instead of the original one. This, most probably, is yet another anti-detection step – EDR solutions often check the calls to system libraries.

Establishing persistence in the attacked environment is done with the use of Task Scheduler. Aside from that, RedLine creates another folder in the Temp directory, that is needed to store the malware loading script (the one we described above). Using Command Prompt, malware creates a task to run this script every 3 minutes.

RedLine Task Scheduler entry
Task created by RedLine to reload itself periodically

Propagation through dropper malware

Most of the time, RedLine appears as stand-alone malware, and this dictates the launching manner we described above. However, in attacks upon advanced targets, like organisations, the use of downloaders is more common – their stealthiness is a much better choice for well-protected environments. That, in turn, changes the chain of actions that precede malware execution. Most of the changes are concentrated around the fact that RedLine is delivered without excessive “masking” parts of the binary file. However, the deep encryption recommended by malware developers is enough to prevent detection with this form of propagation.

After getting into the infected system and launching, a shellcode is started. Its common purpose is to decrypt RedLine and hollow it into a system process to make it stealthy. Using an embedded XTEA encryption key, it decrypts the DLL which actually is a malware in a form of .NET assembly. To place the decrypted and decompressed strings, RedLine allocates memory area using VirtualAlloc function, and secures it with PAGE_EXECUTE_READWRITE privilege.

RedLine Loader
Loader creates memory area

At the next stage, execution is passed to another part of a binary that performs anti-analysis checkups. But instead of more usual process enumeration and searching for ones that correspond to sandboxes or virtual machines, it checks specific values of the environment and runs DLLs. If Cor_Enable_profiling variable is true (i.e. 0x1), malware will skip any further execution. Same is done if there are clrjit.dll or mscorjit.dll – libraries used in debugging procedures of .NET Framework.

If the check-ups are passed, malware proceeds with loading the main part of its assembly from the Resources section. To call for the new instance of .NET Framework, malware plays with mscoree.dll, actually, its CLRCreateInstance function. After that, RedLine finishes the unwrapping process by calling the Assembly.Load function.

RedLine loader launch
Final stage of RedLine unwrapping, which ends up with running the malware

C2 communication

In either case, the first thing after being unwrapped and launched, RedLine will attempt to contact the command and control server. However, just before that it also performs a so-called region check. If the detected IP address of the infected device belongs to an ex-USSR country, malware cancels execution. That is a pretty typical behaviour for malware whose developers live in these countries. Same behaviour is recorded in SmokeLoader malware – it stops execution if the banned region is detected. The list of regions is hardcoded, thus it is not possible to change the preferences without having access to the source code.

RedLine region lock
List of countries where RedLine refuses to run

The data blob that is responsible for contacting the command server is hardcoded into malware, and uses the same RC4 encryption and Base64 encoding as the rest of the sample. It contains IP address and bot ID information. A sample may carry numerous IPs and ports of command servers, but most of the time we witnessed only a single address present.

Initial message is needed only to notify the C2 about a new infected computer, thus it contains only a bot ID and a short text message. The latter is commonly blank, but may contain something distinctive, in order to group the bots or the like. After the initial message, the other comes up – an HTTP GET request that obviously asks for the config information. The latter defines which functions malware will use in the infected system.

Config from C2
Configuration file received from the command server

For scanning the directories, malware receives additional configuration files, which contain the information regarding both paths and file types/file names to look for. To send the data back to the server, malware uses HTTP POST requests with a specific ID marker at the message header. This number may vary from 1 to 24; each of them corresponds to a specific type of data. Malware automatically forms and sends the POST request after succeeding with extracting the specific type of data.

Extracted logs
Part of information extracted by RedLine

RedLine Data Stealing

First and foremost capability of the RedLine stealer is reconnaissance of the environment it is running in. It is not about anti-detection and anti-analysis tricks, but about having a full footprint of a system. Malware is capable of this action even when it receives a blank config from the C2, i.e. it is its basic functionality.

  • Time Zone
  • Languages
  • Hardware information
  • Username
  • Windows version and build
  • Screenshot
  • Installed browsers
  • Installed antivirus software
  • Currently running processes

Using configurations, however, RedLine can grab a much wider range of data, including passwords of different categories, bank card numbers and cryptocurrency wallets, and also data from web browsers and several specific desktop applications. Let’s have a look at each data source.

Web browsers

RedLine can break into numerous web browsers – from ever-loved ones, like Chrome, Opera and Firefox, to alternatives based on Chromium and Quantum. Key points of interest there are divided to in-browser data, and data from add-ons related to cryptocurrency wallets. The stealer can take saved passwords and credit cards data from AutoFill forms. Actually, it can grab whatever it finds in auto-fill, since this is its main way of stealing data from browsers. Another thing RedLine seeks for in web browsers is cookies. Depending on the way the browser stores cookies (i.e. as an encrypted file or within an SQL database), malware can extract them as well.

Browser extensions are a bit of a different story. Malware brings a hefty list of extensions that are used to manage hot cryptocurrency wallets. Malware scans web browser files in order to locate some of them. Then it dumps data related to all the matches (or skips if none are found). It specifically aims at passwords and cookies related to these extensions, copying whatever it locates to its folder with files. List of wallets it targets is as follows:

MetamaskEqualWalletMathWallet
CoinbaseBinanceChainBraveWallet
GuardaWalletYoroiWalletTronlink
NiftyWalletJaxxxLibertyPhantom
OxygenMewCxGuildWallet
SaturnWalletRoninWalletTerraStation
HarmonyWalletCoin98WalletPaliWallet
BoltXBitAppWalletNamiWallet
MaiarDeFiWalletAuthenticatoriWallet
WombatAtomicWalletTonCrystal
KardiaChainLiqualityWalletXdefiWallet

Desktop applications

There are 3 desktop programs RedLine pays specific attention to. Those are Discord, Steam and Telegram messenger. Primary target is session hijacking and stealing files related to sessions (in Telegram). The first and second ones have a similar session management way, based on tokens. Attacking them, malware goes to their directories in AppData\Roaming and rummaging through their files searching for session tokens. Malware knows the naming pattern used by both Steam and Discord, and it searches specifically for the files that fit this naming convention.

Telegram has a different mechanism of session handling, which does not allow the same trick. For that reason, RedLine only grabs all possible files related to the user session, stored in the AppData\Telegram Desktop\tdata folder.

VPN and FTP applications

RedLine is capable of stealing login credentials for several VPN services and FTP applications. Those are OpenVPN, NordVPN, ProtonVPN and FileZilla. For VPNs, it simply searches for config files in their user directories. For example, to grab the users’ data in NordVPN, it searches its directory – AppData\Local\NordVPN – and searches for .config files. In these files, it looks for nodes "//setting / value".

OpenVPN and ProtonVPN differ only with their directory paths and extensions of configuration files (.ovpn for OpenVPN). FTP login data is getting stolen through parsing the corresponding config files in the root directory. For FileZilla those are recentservers.xml and sitemanager.xml.

Specific files/folders

Aside from the pre-defined data categories, RedLine is able to grab any files if its master will command so. It accepts searching for the files of specific formats and names; master may also ask malware to get all the contents of a directory with a specific name. This function may be useful during targeted attacks, when the threat actor knows that there could be valuable files (blueprints, reports etc.), but they go beyond the capabilities of modules that aim at user account data.

File search config
Configurations for file searching

Protection against RedLine

As any other advanced malware, it is better to avoid the RedLine appearance at all, than to get ready to fix up the system after the attack. These proactive methods build around the way malware propagates to your system.

Be careful with messages on social media and email. Sure, they generally do not pose any threat, but hackers hope that you will thing exactly like that. Impersonation techniques which are pretty usual for RedLine operators allow them to look natural, especially considering that they generally spread messages that fit their disguise. For that reason, you should check every “generous offer” twice – for example, on their official website. If there is neither corresponding information nor announcement of any giveaway or partnership – stay away from any of those.

Keep an eye out for ads you’re clicking on. Malvertising may lead you to a wide range of different problems – from unwanted programs to adware. But RedLine parasites on Google Ads, that are considered safe and free of such things. Therefore, they carry even more dangers – and horrific statistics upon the last campaign related to malicious ads in Google search results confirms that thesis. Fortunately, URLs of the pages these ads promote are quite easy to distinguish from original ones. Other advice is to avoid any ads in search results, and scroll down to actual pages – so you will click only a genuine thing.

Use advanced security solutions. This is both a proactive and reactive measure, as it will help to eliminate sophisticated threats like dropper malware, and prevent any further attempts. For corporate security, things like Extended Detection and Response system, SIEM, firewalls and UBA are essential – and the former is what creates a backbone for the entire cybersecurity system. But even for single users, having a reliable program that will find and defeat any threat is a good decision.

RedLine IoC

Hashes

SHA256: 2b173e6cde1985b8f98e19458e587a0bb2cb4d3ca2f43fbe90317148733c8c19
SHA256: 33a58fe28fd4991d416ec5c71ed1a3902fa1b3670f0c21913e8067b117a13d40
SHA256: 6b1a6e9d2fd406bd64d19f83d5d2da53daf81cb77deafd44093e328632c812e6
SHA256: 9b83295232742e7441e112964f0cc24b825f5c7367589781ce3cacf8516c47e5
SHA256: b386457fb2917a1e71aa8f8e24ce577984a2679d518cf0c098d6175f6410b569
SHA256: 87789525666ff30d7866ebd346e712e5cb17a029e892036d2798c29568e44ce2
SHA256: b3a7841c382f8037f81b90744e527677bf00e9d1e535e54c720bf9c201046285
SHA256: f9be3f2ebd3654b7ecc41d482840872e1daaede423dff221f925acc4c72a6ce3
SHA256: 4dbf6414e86f128d65b575fe220d5346a258c2b9c188c886a93bb9293291fceb
SHA256: b23551685f437c0209057195a157c249b4f5489b5237c15a8c641190eedd0ada
SHA256: 3dbb485f94bffbb6e070780451ccda0c651520b651ae9f2f763a8ff9fa70060e
SHA256: b41e1a0228c495766f452ae25f5cf0ec032f4e5440b02beafc75af05b80a01b5
SHA256: 1e82ed7a9d804175a7b412ac27314dbdf2e2c3453aca9954a12a30a521f47a8d
SHA256: 6c1b0a6370877b232e230baa8703139865662584854a4f8306c387baa1185b50
SHA256: 05321f9484b678c42a2e08e86f0674093eeb69b9a2c47608439946601cf098c1
SHA256: 2a2a05359afeb631127ebbb8d2d2f2c4c4e3f613a9e1e0fd3287e14577c2578f
MD5: c26fb943ff2fe11908905fc573975970
MD5: 76cb8ef17282d3e07be6f4c7ea3a4075
MD5: 651acd24fd7ca46d6c41676e58f655c7
MD5: eacee8508d4a8f42ab3d77d308260460
MD5: 280b496b1556d2beea8f7b9b7958d7cd
MD5: 37e07863b33d8c7a3355a3c0e1668520
MD5: 1716bf4f93fc704a463c6517ec22fed5
MD5: b7649de5628e2c6b2be40b6d2fe115c5
MD5: abce7bb76cd0b298f352761c961c8727
MD5: 9b25deede4511de18e00c1214ba32532
MD5: 918fee161ff85beba22b171f1e401cce
MD5: 85a7d125f19102f0e504443c721a850c
MD5: 79f29087b398759dea999db7057989c4
MD5: 657e36feb61d77e8d2d9da0833c9b8e8
MD5: 374c04c530c8e3a4f82535e0be2c748c
MD5: 7fc7660c4586ac5b6cf63d2bfa616867
 

IP addresses

95.217.146.176:4287 162.55.188.117:48958 8.9.31.171:21237
77.91.78.218:47779 88.198.124.103:40309 20.100.204.23:41570
193.233.20.13:4136 103.169.34.87:27368 207.246.70.132:23
95.216.27.23:42121 89.23.96.224:39812 88.218.171.68:20005
192.227.144.59:12210 193.57.138.163:28786 79.137.192.41:40084
77.73.131.143:3320 185.106.93.132:800 77.73.134.78:38667
70.36.106.161:10456 142.132.186.212:8901 138.128.243.83:30774
45.95.67.36:36262 213.166.71.44:10042 137.74.157.83:36657
51.161.104.92:47909 193.233.20.12:4132 147.135.165.21:36456
82.115.223.77:38358 135.181.204.51:20347 103.73.219.222:26409
45.15.157.156:10562 185.11.61.125:22344 116.203.231.217:39810
178.20.45.6:19170 45.83.178.135:1000 142.132.210.105:29254
95.217.14.200:34072 45.15.156.205:12553 176.113.115.17:4132
185.106.93.207:35946 193.233.20.11:4131 157.90.117.250:45269
190.2.145.79:80 185.94.166.20:80 95.217.146.176:4286

Note: large and long-term C2s i.e. ones that have numerous connections, are marked in bold.

MITRE ATT&CK

Technique ID Name Technique ID Name
T1566 Phishing T1539 Steal Web Session Cookie
T1552 Unsecured Credentials T1204 User Execution
T1555 Credentials from Password Stores T1113 Screen Capture
T1614 System Location Discovery T1124 System Time Discovery
T1007 System Service Discovery T1087 Account Discovery
T1518 Software Discovery T1057 Process Discovery
T1120 Peripheral Device Discovery T1571 Non-Standard Port
T1095 Non-Application Layer Protocol T1041 Exfiltration Over C2 Channel