
What is RedLine?
March 13, 2023
RedLine is a stealer malware that aims primarily at banking credentials, but being capable of extracting other information as well. Its key focus is hacking the victimsβ web browsers in order to gather account information, AutoFill data and any other valuable things that may be located. Convenient controls together with built-in anti-detection and anti-analysis features made RedLine one of the most popular and prolific stealers present on the market. Another notable thing regarding RedLine stealer is its spreading ways that differ from regular propagation through email spam.
RedLine samples
First mentions of this stealer are dated back in early 2020, but the first notable spike of activity happened only a half year later. It is spread under Malware-as-a-service model, primarily through advertisements in Telegram messenger groups. Subscription plans differ from $100 for one week to $800 for lifetime βlicenceβ for RedLine. Sample is supplied along with a crypter β a specific software used to encipher malware sample before deploying it in the wild. That procedure decreases the chance of detection and complicates analysis attempts.

RedLine malware spreading
Above we mentioned that RedLine applies some unique ways of self-propagation, different from what is considered usual these days. Email spamming is both effective and cheap, but attracts too much attention. Crooks who spread this malware have their own options, despite applying spam in certain cases. And it seems they mastered their approaches well enough to overtake all competitors.
Spam in social media
Social network accounts, especially ones that belong to celebrities or well-known organisations, are generally trusted by their subscribers. Facebook, Twitter, Instagram β any social media accessible from PC will fit, the key point is to find accounts that have the most trust. Social engineering, or preceding malware injection supplies hackers with accountβs credentials, and here the show starts.
Crooks that use this method to spread RedLine rarely fall into obvious spam that may easily be recognised. Instead, they try to look convincingly enough with banners that include details about the organisation or a person, and are related to their usual business. For example, using an ISP providerβs account hackers made a post with a link that led to RedLine downloading, which promoted free Adobe software. It is something people may expect from a provider and appreciate such care about their clients β and thus will eat the bait.

Dropper malware
Dropper, or downloader, is a kind of malware used to deliver other malware to the infected computer. Extensive networks of computers that are running a dropper are offered widely in the Darknet, so anyone can pay for uploading their malware to these PCs. RedLine masters do not disdain this way of spreading, as it is proven to be pretty efficient. The problems may appear if the network is βusedβ, i.e. a lot of other malware was already delivered, and most of the valuable information is likely to be already extracted.
RedLine is sometimes applied as an βinstantβ payload of droppers. That happens when hackers seek to get into the system as stealthy as possible, and then, after gaining initial access, deploy their own lineup of malicious programs. That typically happens with SmokeLoader backdoor, which is in turn often delivered along with STOP/Djvu ransomware. Besides that, samples of this malware delivered by a dropper seriously distinct from ones delivered in a different way.
Google Search malvertising
Google is considered a trustworthy advertising platform, where both users and advertisers may be confident about what they see and click. But as the saying goes, never say never. Recent events with massive flow of malicious ads in Google Search results became a very potent method of malware spreading. That is not the first case when something malicious slips into Google ads, but the scale of a current case is unprecedented. Most often, these sites replicate the websites of free software developers, or the official pages for downloading some auxiliary software, like drivers or toolkits.
Malware in this case is masked as a legit software pack β a ZIP archive. The oneβs name resembles what the victim is supposed to download, lulling its attention. At the same time, the sample within this archive is bloated with null sections, thus it will exceed the size limit of certain sandboxes and anti-malware software. However, it retains all the functionality of a regular RedLine sample, and is ready to mischief as usual after the unpacking.
RedLine Stealer Analysis
First and foremost, letβs have a look at the way RedLine is unfolding after being delivered to the target system. Above we mentioned the βcryptorβ, used to protect malware strings before they are actually launched. Together with obfuscation and unique packing for each sample, this encryption tool makes the sample quite tough to detect, despite relative ease of its analysis. Being based on C# RedLine is not very complicated for reverse engineering tools, and thus reverting the compiler job and seeing the code is not a hard task.
One distinctive feature of RedLine compared to other malware is the form it arrives at. It is a binary file that contains a wide selection of junk code, which confuses anti-malware detection. Actual payload is contained within a .cab file, encrypted with RC4 and placed among the section of a mentioned binary. Three files from this archive are the actual payload, script that launches it, and a script. The latter checks the environment for the presence of running processes of anti-malware software. First of other things, this script is getting launched, and if it detects the presence of defined anti-malware programs, further execution is cancelled. But when the check goes smoothly, it simply passes the execution to an actual payload.

To run itself, malware bears on a loader; last versions of RedLine use AutoIt script attached to the main payload, but nothing stops it from using any other variant of shell code. This obfuscated script is needed to decrypt malware strings, create facilities for further malware execution and make the payload run. To store all the contents of the .cab archive we mentioned above, it creates a folder in the Users/Temp directory. It also copies an ntdll.dll library, renames it and adds to this folder as well; all further calls to this library will go to this instance instead of the original one. This, most probably, is yet another anti-detection step β EDR solutions often check the calls to system libraries.
Establishing persistence in the attacked environment is done with the use of Task Scheduler. Aside from that, RedLine creates another folder in the Temp directory, that is needed to store the malware loading script (the one we described above). Using Command Prompt, malware creates a task to run this script every 3 minutes.

Propagation through dropper malware
Most of the time, RedLine appears as stand-alone malware, and this dictates the launching manner we described above. However, in attacks upon advanced targets, like organisations, the use of downloaders is more common β their stealthiness is a much better choice for well-protected environments. That, in turn, changes the chain of actions that precede malware execution. Most of the changes are concentrated around the fact that RedLine is delivered without excessive βmaskingβ parts of the binary file. However, the deep encryption recommended by malware developers is enough to prevent detection with this form of propagation.
After getting into the infected system and launching, a shellcode is started. Its common purpose is to decrypt RedLine and hollow it into a system process to make it stealthy. Using an embedded XTEA encryption key, it decrypts the DLL which actually is a malware in a form of .NET assembly. To place the decrypted and decompressed strings, RedLine allocates memory area using VirtualAlloc function, and secures it with PAGE_EXECUTE_READWRITE privilege.

At the next stage, execution is passed to another part of a binary that performs anti-analysis checkups. But instead of more usual process enumeration and searching for ones that correspond to sandboxes or virtual machines, it checks specific values of the environment and runs DLLs. If Cor_Enable_profiling variable is true (i.e. 0x1), malware will skip any further execution. Same is done if there are clrjit.dll or mscorjit.dll β libraries used in debugging procedures of .NET Framework.
If the check-ups are passed, malware proceeds with loading the main part of its assembly from the Resources section. To call for the new instance of .NET Framework, malware plays with mscoree.dll, actually, its CLRCreateInstance function. After that, RedLine finishes the unwrapping process by calling the Assembly.Load function.

C2 communication
In either case, the first thing after being unwrapped and launched, RedLine will attempt to contact the command and control server. However, just before that it also performs a so-called region check. If the detected IP address of the infected device belongs to an ex-USSR country, malware cancels execution. That is a pretty typical behaviour for malware whose developers live in these countries. Same behaviour is recorded in SmokeLoader malware β it stops execution if the banned region is detected. The list of regions is hardcoded, thus it is not possible to change the preferences without having access to the source code.

The data blob that is responsible for contacting the command server is hardcoded into malware, and uses the same RC4 encryption and Base64 encoding as the rest of the sample. It contains IP address and bot ID information. A sample may carry numerous IPs and ports of command servers, but most of the time we witnessed only a single address present.
Initial message is needed only to notify the C2 about a new infected computer, thus it contains only a bot ID and a short text message. The latter is commonly blank, but may contain something distinctive, in order to group the bots or the like. After the initial message, the other comes up β an HTTP GET request that obviously asks for the config information. The latter defines which functions malware will use in the infected system.

For scanning the directories, malware receives additional configuration files, which contain the information regarding both paths and file types/file names to look for. To send the data back to the server, malware uses HTTP POST requests with a specific ID marker at the message header. This number may vary from 1 to 24; each of them corresponds to a specific type of data. Malware automatically forms and sends the POST request after succeeding with extracting the specific type of data.

RedLine Data Stealing
First and foremost capability of the RedLine stealer is reconnaissance of the environment it is running in. It is not about anti-detection and anti-analysis tricks, but about having a full footprint of a system. Malware is capable of this action even when it receives a blank config from the C2, i.e. it is its basic functionality.
- Time Zone
- Languages
- Hardware information
- Username
- Windows version and build
- Screenshot
- Installed browsers
- Installed antivirus software
- Currently running processes
Using configurations, however, RedLine can grab a much wider range of data, including passwords of different categories, bank card numbers and cryptocurrency wallets, and also data from web browsers and several specific desktop applications. Letβs have a look at each data source.
Web browsers
RedLine can break into numerous web browsers β from ever-loved ones, like Chrome, Opera and Firefox, to alternatives based on Chromium and Quantum. Key points of interest there are divided to in-browser data, and data from add-ons related to cryptocurrency wallets. The stealer can take saved passwords and credit cards data from AutoFill forms. Actually, it can grab whatever it finds in auto-fill, since this is its main way of stealing data from browsers. Another thing RedLine seeks for in web browsers is cookies. Depending on the way the browser stores cookies (i.e. as an encrypted file or within an SQL database), malware can extract them as well.
Browser extensions are a bit of a different story. Malware brings a hefty list of extensions that are used to manage hot cryptocurrency wallets. Malware scans web browser files in order to locate some of them. Then it dumps data related to all the matches (or skips if none are found). It specifically aims at passwords and cookies related to these extensions, copying whatever it locates to its folder with files. List of wallets it targets is as follows:
Metamask | EqualWallet | MathWallet |
Coinbase | BinanceChain | BraveWallet |
GuardaWallet | YoroiWallet | Tronlink |
NiftyWallet | JaxxxLiberty | Phantom |
Oxygen | MewCx | GuildWallet |
SaturnWallet | RoninWallet | TerraStation |
HarmonyWallet | Coin98Wallet | PaliWallet |
BoltX | BitAppWallet | NamiWallet |
MaiarDeFiWallet | Authenticator | iWallet |
Wombat | AtomicWallet | TonCrystal |
KardiaChain | LiqualityWallet | XdefiWallet |
Desktop applications
There are 3 desktop programs RedLine pays specific attention to. Those are Discord, Steam and Telegram messenger. Primary target is session hijacking and stealing files related to sessions (in Telegram). The first and second ones have a similar session management way, based on tokens. Attacking them, malware goes to their directories in AppData\Roaming and rummaging through their files searching for session tokens. Malware knows the naming pattern used by both Steam and Discord, and it searches specifically for the files that fit this naming convention.
Telegram has a different mechanism of session handling, which does not allow the same trick. For that reason, RedLine only grabs all possible files related to the user session, stored in the AppData\Telegram Desktop\tdata folder.
VPN and FTP applications
RedLine is capable of stealing login credentials for several VPN services and FTP applications. Those are OpenVPN, NordVPN, ProtonVPN and FileZilla. For VPNs, it simply searches for config files in their user directories. For example, to grab the usersβ data in NordVPN, it searches its directory β AppData\Local\NordVPN β and searches for .config files. In these files, it looks for nodes "//setting / value".
OpenVPN and ProtonVPN differ only with their directory paths and extensions of configuration files (.ovpn for OpenVPN). FTP login data is getting stolen through parsing the corresponding config files in the root directory. For FileZilla those are recentservers.xml and sitemanager.xml.
Specific files/folders
Aside from the pre-defined data categories, RedLine is able to grab any files if its master will command so. It accepts searching for the files of specific formats and names; master may also ask malware to get all the contents of a directory with a specific name. This function may be useful during targeted attacks, when the threat actor knows that there could be valuable files (blueprints, reports etc.), but they go beyond the capabilities of modules that aim at user account data.

Protection against RedLine
As any other advanced malware, it is better to avoid the RedLine appearance at all, than to get ready to fix up the system after the attack. These proactive methods build around the way malware propagates to your system.
Be careful with messages on social media and email. Sure, they generally do not pose any threat, but hackers hope that you will thing exactly like that. Impersonation techniques which are pretty usual for RedLine operators allow them to look natural, especially considering that they generally spread messages that fit their disguise. For that reason, you should check every βgenerous offerβ twice β for example, on their official website. If there is neither corresponding information nor announcement of any giveaway or partnership β stay away from any of those.
Keep an eye out for ads youβre clicking on. Malvertising may lead you to a wide range of different problems β from unwanted programs to adware. But RedLine parasites on Google Ads, that are considered safe and free of such things. Therefore, they carry even more dangers β and horrific statistics upon the last campaign related to malicious ads in Google search results confirms that thesis. Fortunately, URLs of the pages these ads promote are quite easy to distinguish from original ones. Other advice is to avoid any ads in search results, and scroll down to actual pages β so you will click only a genuine thing.
Use advanced security solutions. This is both a proactive and reactive measure, as it will help to eliminate sophisticated threats like dropper malware, and prevent any further attempts. For corporate security, things like Extended Detection and Response system, SIEM, firewalls and UBA are essential β and the former is what creates a backbone for the entire cybersecurity system. But even for single users, having a reliable program that will find and defeat any threat is a good decision.
RedLine IoC
Hashes
SHA256: 2b173e6cde1985b8f98e19458e587a0bb2cb4d3ca2f43fbe90317148733c8c19 SHA256: 33a58fe28fd4991d416ec5c71ed1a3902fa1b3670f0c21913e8067b117a13d40 SHA256: 6b1a6e9d2fd406bd64d19f83d5d2da53daf81cb77deafd44093e328632c812e6 SHA256: 9b83295232742e7441e112964f0cc24b825f5c7367589781ce3cacf8516c47e5 SHA256: b386457fb2917a1e71aa8f8e24ce577984a2679d518cf0c098d6175f6410b569 SHA256: 87789525666ff30d7866ebd346e712e5cb17a029e892036d2798c29568e44ce2 SHA256: b3a7841c382f8037f81b90744e527677bf00e9d1e535e54c720bf9c201046285 SHA256: f9be3f2ebd3654b7ecc41d482840872e1daaede423dff221f925acc4c72a6ce3 SHA256: 4dbf6414e86f128d65b575fe220d5346a258c2b9c188c886a93bb9293291fceb SHA256: b23551685f437c0209057195a157c249b4f5489b5237c15a8c641190eedd0ada SHA256: 3dbb485f94bffbb6e070780451ccda0c651520b651ae9f2f763a8ff9fa70060e SHA256: b41e1a0228c495766f452ae25f5cf0ec032f4e5440b02beafc75af05b80a01b5 SHA256: 1e82ed7a9d804175a7b412ac27314dbdf2e2c3453aca9954a12a30a521f47a8d SHA256: 6c1b0a6370877b232e230baa8703139865662584854a4f8306c387baa1185b50 SHA256: 05321f9484b678c42a2e08e86f0674093eeb69b9a2c47608439946601cf098c1 SHA256: 2a2a05359afeb631127ebbb8d2d2f2c4c4e3f613a9e1e0fd3287e14577c2578f
MD5: c26fb943ff2fe11908905fc573975970 MD5: 76cb8ef17282d3e07be6f4c7ea3a4075 MD5: 651acd24fd7ca46d6c41676e58f655c7 MD5: eacee8508d4a8f42ab3d77d308260460 MD5: 280b496b1556d2beea8f7b9b7958d7cd MD5: 37e07863b33d8c7a3355a3c0e1668520 MD5: 1716bf4f93fc704a463c6517ec22fed5 MD5: b7649de5628e2c6b2be40b6d2fe115c5 MD5: abce7bb76cd0b298f352761c961c8727 MD5: 9b25deede4511de18e00c1214ba32532 MD5: 918fee161ff85beba22b171f1e401cce MD5: 85a7d125f19102f0e504443c721a850c MD5: 79f29087b398759dea999db7057989c4 MD5: 657e36feb61d77e8d2d9da0833c9b8e8 MD5: 374c04c530c8e3a4f82535e0be2c748c MD5: 7fc7660c4586ac5b6cf63d2bfa616867
IP addresses
95.217.146.176:4287 | 162.55.188.117:48958 | 8.9.31.171:21237 |
77.91.78.218:47779 | 88.198.124.103:40309 | 20.100.204.23:41570 |
193.233.20.13:4136 | 103.169.34.87:27368 | 207.246.70.132:23 |
95.216.27.23:42121 | 89.23.96.224:39812 | 88.218.171.68:20005 |
192.227.144.59:12210 | 193.57.138.163:28786 | 79.137.192.41:40084 |
77.73.131.143:3320 | 185.106.93.132:800 | 77.73.134.78:38667 |
70.36.106.161:10456 | 142.132.186.212:8901 | 138.128.243.83:30774 |
45.95.67.36:36262 | 213.166.71.44:10042 | 137.74.157.83:36657 |
51.161.104.92:47909 | 193.233.20.12:4132 | 147.135.165.21:36456 |
82.115.223.77:38358 | 135.181.204.51:20347 | 103.73.219.222:26409 |
45.15.157.156:10562 | 185.11.61.125:22344 | 116.203.231.217:39810 |
178.20.45.6:19170 | 45.83.178.135:1000 | 142.132.210.105:29254 |
95.217.14.200:34072 | 45.15.156.205:12553 | 176.113.115.17:4132 |
185.106.93.207:35946 | 193.233.20.11:4131 | 157.90.117.250:45269 |
190.2.145.79:80 | 185.94.166.20:80 | 95.217.146.176:4286 |
Note: large and long-term C2s i.e. ones that have numerous connections, are marked in bold.
MITRE ATT&CK
Technique ID | Name | Technique ID | Name |
---|---|---|---|
T1566 | Phishing | T1539 | Steal Web Session Cookie |
T1552 | Unsecured Credentials | T1204 | User Execution |
T1555 | Credentials from Password Stores | T1113 | Screen Capture |
T1614 | System Location Discovery | T1124 | System Time Discovery |
T1007 | System Service Discovery | T1087 | Account Discovery |
T1518 | Software Discovery | T1057 | Process Discovery |
T1120 | Peripheral Device Discovery | T1571 | Non-Standard Port |
T1095 | Non-Application Layer Protocol | T1041 | Exfiltration Over C2 Channel |