RedLine Stealer - What You Need to Know

What is RedLine Stealer?

September 12, 2023

Only a few things will reach the top of charts – that rule works for pretty much everything. Malware is not an exclusion, and RedLine stealer shows what is a real difference between ordinary and advanced malware examples.

RedLine is a stealer malware that aims primarily at banking credentials, but being capable of extracting other information as well. Its key focus is hacking the victims’ web browsers in order to gather account information, AutoFill data and any other valuable things that may be located. Convenient controls together with built-in anti-detection and anti-analysis features made RedLine one of the most popular and prolific stealers present on the market. Another notable thing regarding RedLine stealer is its spreading ways that differ from regular propagation through email spam.

RedLine Stealer Samples

First mentions of this stealer are dated back in early 2020, but the first notable spike of activity happened only a half year later. It is spread under Malware-as-a-service model, primarily through advertisements in Telegram messenger groups. Subscription plans differ from $100 for one week to $800 for lifetime “licence” for RedLine. Sample is supplied along with a crypter – a specific software used to encipher malware sample before deploying it in the wild. That procedure decreases the chance of detection and complicates analysis attempts.

RedLine Stealer Spreading

Above we mentioned that RedLine Stealer applies some unique ways of self-propagation, different from what is considered usual these days. Email spamming is both effective and cheap, but attracts too much attention. Crooks who spread this malware have their own options, despite applying spam in certain cases. And it seems they mastered their approaches well enough to overtake all competitors.

Spam in social media

Social network accounts, especially ones that belong to celebrities or well-known organisations, are generally trusted by their subscribers. Facebook, Twitter, Instagram – any social media accessible from PC will fit, the key point is to find accounts that have the most trust. Social engineering, or preceding malware injection supplies hackers with account’s credentials, and here the show starts.

Crooks that use this method to spread RedLine rarely fall into obvious spam that may easily be recognised. Instead, they try to look convincingly enough with banners that include details about the organisation or a person, and are related to their usual business. For example, using an ISP provider’s account hackers made a post with a link that led to RedLine Stealer downloading, which promoted free Adobe software. It is something people may expect from a provider and appreciate such care about their clients – and thus will eat the bait.

Dropper malware

Dropper, or downloader, is a kind of malware used to deliver other malware to the infected computer. Extensive networks of computers that are running a dropper are offered widely in the Darknet, so anyone can pay for uploading their malware to these PCs. RedLine masters do not disdain this way of spreading, as it is proven to be pretty efficient. The problems may appear if the network is “used”, i.e. a lot of other malware was already delivered, and most of the valuable information is likely to be already extracted.

RedLine Stealer is sometimes applied as an “instant” payload of droppers. That happens when hackers seek to get into the system as stealthy as possible, and then, after gaining initial access, deploy their own lineup of malicious programs. That typically happens with SmokeLoader backdoor, which is in turn often delivered along with STOP/Djvu ransomware. Besides that, samples of this malware delivered by a dropper seriously distinct from ones delivered in a different way.

Google Search malvertising

Google is considered a trustworthy advertising platform, where both users and advertisers may be confident about what they see and click. But as the saying goes, never say never. Recent events with massive flow of malicious ads in Google Search results became a very potent method of malware spreading. That is not the first case when something malicious slips into Google ads, but the scale of a current case is unprecedented. Most often, these sites replicate the websites of free software developers, or the official pages for downloading some auxiliary software, like drivers or toolkits.

Typical example of Google search ads flooded by malicious links

Malware in this case is masked as a legit software pack – a ZIP archive. The one’s name resembles what the victim is supposed to download, lulling its attention. At the same time, the sample within this archive is bloated with null sections, thus it will exceed the size limit of certain sandboxes and anti-malware software. However, it retains all the functionality of a regular RedLine Stealer sample, and is ready to mischief as usual after the unpacking.

RedLine Stealer Analysis

First and foremost, let’s have a look at the way RedLine is unfolding after being delivered to the target system. Above we mentioned the “cryptor”, used to protect malware strings before they are actually launched. Together with obfuscation and unique packing for each sample, this encryption tool makes the sample quite tough to detect, despite relative ease of its analysis. Being based on C# RedLine is not very complicated for reverse engineering tools, and thus reverting the compiler job and seeing the code is not a hard task.

One distinctive feature of RedLine compared to other malware is the form it arrives at. It is a binary file that contains a wide selection of junk code, which confuses anti-malware detection. Actual payload is contained within a .cab file, encrypted with RC4 and placed among the section of a mentioned binary. Three files from this archive are the actual payload, script that launches it, and a script. The latter checks the environment for the presence of running processes of anti-malware software. First of other things, this script is getting launched, and if it detects the presence of defined anti-malware programs, further execution is cancelled. But when the check goes smoothly, it simply passes the execution to an actual payload.

To run itself, malware bears on a loader; last versions of RedLine Stealer use AutoIt script attached to the main payload, but nothing stops it from using any other variant of shell code. This obfuscated script is needed to decrypt malware strings, create facilities for further malware execution and make the payload run. To store all the contents of the .cab archive we mentioned above, it creates a folder in the Users/Temp directory. It also copies an ntdll.dll library, renames it and adds to this folder as well; all further calls to this library will go to this instance instead of the original one. This, most probably, is yet another anti-detection step – EDR solutions often check the calls to system libraries.

Establishing persistence in the attacked environment is done with the use of Task Scheduler. Aside from that, RedLine Stealer creates another folder in the Temp directory, that is needed to store the malware loading script (the one we described above). Using Command Prompt, malware creates a task to run this script every 3 minutes.

Propagation through dropper malware

Most of the time, RedLine Stealer appears as stand-alone malware, and this dictates the launching manner we described above. However, in attacks upon advanced targets, like organisations, the use of downloaders is more common – their stealthiness is a much better choice for well-protected environments. That, in turn, changes the chain of actions that precede malware execution. Most of the changes are concentrated around the fact that RedLine is delivered without excessive “masking” parts of the binary file. However, the deep encryption recommended by malware developers is enough to prevent detection with this form of propagation.

After getting into the infected system and launching, a shellcode is started. Its common purpose is to decrypt RedLine Stealer and hollow it into a system process to make it stealthy. Using an embedded XTEA encryption key, it decrypts the DLL which actually is a malware in a form of .NET assembly. To place the decrypted and decompressed strings, RedLine allocates memory area using VirtualAlloc function, and secures it with PAGE_EXECUTE_READWRITE privilege.

At the next stage, execution is passed to another part of a binary that performs anti-analysis checkups. But instead of more usual process enumeration and searching for ones that correspond to sandboxes or virtual machines, it checks specific values of the environment and runs DLLs. If Cor_Enable_profiling variable is true (i.e. 0x1), malware will skip any further execution. Same is done if there are clrjit.dll or mscorjit.dll – libraries used in debugging procedures of .NET Framework.

If the check-ups are passed, malware proceeds with loading the main part of its assembly from the Resources section. To call for the new instance of .NET Framework, malware plays with mscoree.dll, actually, its CLRCreateInstance function. After that, RedLine Stealer finishes the unwrapping process by calling the Assembly.Load function.

C2 communication

In either case, the first thing after being unwrapped and launched, RedLine will attempt to contact the command and control server. However, just before that it also performs a so-called region check. If the detected IP address of the infected device belongs to an ex-USSR country, malware cancels execution. That is a pretty typical behaviour for malware whose developers live in these countries. Same behaviour is recorded in SmokeLoader malware – it stops execution if the banned region is detected. The list of regions is hardcoded, thus it is not possible to change the preferences without having access to the source code.

The data blob that is responsible for contacting the command server is hardcoded into malware, and uses the same RC4 encryption and Base64 encoding as the rest of the sample. It contains IP address and bot ID information. A sample may carry numerous IPs and ports of command servers, but most of the time we witnessed only a single address present.

Initial message is needed only to notify the C2 about a new infected computer, thus it contains only a bot ID and a short text message. The latter is commonly blank, but may contain something distinctive, in order to group the bots or the like. After the initial message, the other comes up – an HTTP GET request that obviously asks for the config information. The latter defines which functions malware will use in the infected system.

For scanning the directories, malware receives additional configuration files, which contain the information regarding both paths and file types/file names to look for. To send the data back to the server, malware uses HTTP POST requests with a specific ID marker at the message header. This number may vary from 1 to 24; each of them corresponds to a specific type of data. Malware automatically forms and sends the POST request after succeeding with extracting the specific type of data.

RedLine Data Stealing

First and foremost capability of the RedLine Stealer is reconnaissance of the environment it is running in. It is not about anti-detection and anti-analysis tricks, but about having a full footprint of a system. Malware is capable of this action even when it receives a blank config from the C2, i.e. it is its basic functionality.

• Time Zone
• Languages
• Hardware information
• Username
• Windows version and build
• Screenshot
• Installed browsers
• Installed antivirus software
• Currently running processes

Using configurations, however, RedLine Stealer can grab a much wider range of data, including passwords of different categories, bank card numbers and cryptocurrency wallets, and also data from web browsers and several specific desktop applications. Let’s have a look at each data source.

Web browsers

RedLine can break into numerous web browsers – from ever-loved ones, like Chrome, Opera and Firefox, to alternatives based on Chromium and Quantum. Key points of interest there are divided to in-browser data, and data from add-ons related to cryptocurrency wallets. The stealer can take saved passwords and credit cards data from AutoFill forms. Actually, it can grab whatever it finds in auto-fill, since this is its main way of stealing data from browsers. Another thing RedLine Stealer seeks for in web browsers is cookies. Depending on the way the browser stores cookies (i.e. as an encrypted file or within an SQL database), malware can extract them as well.

Browser extensions are a bit of a different story. Malware brings a hefty list of extensions that are used to manage hot cryptocurrency wallets. Malware scans web browser files in order to locate some of them. Then it dumps data related to all the matches (or skips if none are found). It specifically aims at passwords and cookies related to these extensions, copying whatever it locates to its folder with files. List of wallets it targets is as follows:

Desktop applications

There are 3 desktop programs RedLine Stealer pays specific attention to. Those are Discord, Steam and Telegram messenger. Primary target is session hijacking and stealing files related to sessions (in Telegram). The first and second ones have a similar session management way, based on tokens. Attacking them, malware goes to their directories in AppData\Roaming and rummaging through their files searching for session tokens. Malware knows the naming pattern used by both Steam and Discord, and it searches specifically for the files that fit this naming convention.

Telegram has a different mechanism of session handling, which does not allow the same trick. For that reason, RedLine Stealer only grabs all possible files related to the user session, stored in the AppData\Telegram Desktop\tdata folder.

VPN and FTP applications

RedLine is capable of stealing login credentials for several VPN services and FTP applications. Those are OpenVPN, NordVPN, ProtonVPN and FileZilla. For VPNs, it simply searches for config files in their user directories. For example, to grab the users’ data in NordVPN, it searches its directory – AppData\Local\NordVPN – and searches for .config files. In these files, it looks for nodes "//setting / value".

OpenVPN and ProtonVPN differ only with their directory paths and extensions of configuration files (.ovpn for OpenVPN). FTP login data is getting stolen through parsing the corresponding config files in the root directory. For FileZilla those are recentservers.xml and sitemanager.xml.

Specific files/folders

Aside from the pre-defined data categories, RedLine Stealer is able to grab any files if its master will command so. It accepts searching for the files of specific formats and names; master may also ask malware to get all the contents of a directory with a specific name. This function may be useful during targeted attacks, when the threat actor knows that there could be valuable files (blueprints, reports etc.), but they go beyond the capabilities of modules that aim at user account data.

Protection against RedLine

As any other advanced malware, it is better to avoid the RedLine appearance at all, than to get ready to fix up the system after the attack. These proactive methods build around the way malware propagates to your system.

Be careful with messages on social media and email. Sure, they generally do not pose any threat, but hackers hope that you will thing exactly like that. Impersonation techniques which are pretty usual for RedLine Stealer operators allow them to look natural, especially considering that they generally spread messages that fit their disguise. For that reason, you should check every “generous offer” twice – for example, on their official website. If there is neither corresponding information nor announcement of any giveaway or partnership – stay away from any of those.

Keep an eye out for ads you’re clicking on. Malvertising may lead you to a wide range of different problems – from unwanted programs to adware. But RedLine parasites on Google Ads, that are considered safe and free of such things. Therefore, they carry even more dangers – and horrific statistics upon the last campaign related to malicious ads in Google search results confirms that thesis. Fortunately, URLs of the pages these ads promote are quite easy to distinguish from original ones. Other advice is to avoid any ads in search results, and scroll down to actual pages – so you will click only a genuine thing.

Use advanced security solutions. This is both a proactive and reactive measure, as it will help to eliminate sophisticated threats like dropper malware, and prevent any further attempts. For corporate security, things like Extended Detection and Response system, SIEM, firewalls and UBA are essential – and the former is what creates a backbone for the entire cybersecurity system. But even for single users, having a reliable program that will find and defeat any threat is a good decision.

RedLine Stealer IoC

IP addresses

Note: large and long-term C2s i.e. ones that have numerous connections, are marked in bold.

MITRE ATT&CK