RedLine Stealer

INTRODUCTION


A list of RedLine Stealer configurations was found on 19SEP2021 on Twitter, showing hashes, C2_proxy, and the encryption key. RedLine Stealer is a MaaS (Malware as a Service) found in forums and markets for sale.

FINDINGS

  • RedLine Stealer was first seen in 2020 and currently has active subscribers.
  • RedLine Stealer is being sold as a Malware as a Service with monthly and lifetime subscriptions at a cost of $150 and $800, respectively, in Bitcoin or Litecoin.
  • Found in multiple forums and markets with posts on clear and dark web sites to buy and/or sell RedLine Stealer.
  • This malware family is like other stealers such as Raccoon Stealer and other Trojans.
  • Malware is sent via unsolicited email and/or social media direct message targeting 3D artists, streamers, and financial advisors, generally in North America and Europe.
  • The control panel reveals that, once connected, a compromised machine will collect credentials and other information from a list of domain names to be sent back to its command and control.

INVESTIGATION

Hash: b07760589702286f350630f5bb18ccbc207de6520c481e6fbc50ee7b2c30b13f
Name: Laskets
Type: .exe

After running the sample, Wireshark recorded communication with the IP addresses 194.23.139[.]70 (Telia—Sweden) and 52.202.42[.]171 (Amazon AWS—U.S.).

Although the sample attempted to reach out to IP address 194.23.139[.]70, there was no connection or payload dropped. With IP address 52.202.42[.]171, we made a connection with an nginx server default page.

Figure 3 : Server Landing Page from IP address 52.202.42[.]171

RedLine Stealer collects credentials and information saved in web browsers, such as autocomplete data. Once infected, an inventory of the compromised system is taken, gathering usernames, location, configurations, and installed security software. File Transfer Protocol (FTP) and Instant Messaging (IM) clients are also targeted, as this family has the capability to upload and download files and execute commands, sending back gathered information to the command-and-control server. RedLine Stealer is distributed via Office, PDF, RaR, ZIP, executables, and JavaScript. BEC and social engineering attacks using Covid-19 lures have targeted 3D digital artists, financial advisors, and gamers via the Steam gaming client. Attack vectors have included malicious Google ads and direct messages on Twitter and Instagram.

RedLine Stealer Telegram

RedLine Stealer was also observed in the Telegram Group Chat Redline Stealer Members, where a file was posted named RedLine_21_2.rar on 11SEP2021, along with the message REDLINE STEALER v21.2 update from 09/11/2021 (translated from Russian). The message reads as follows:


What’s new?

  • In the Builder tab there is a function to select a method for sending a log, next to the
    “Build stealer” button is a checkbox “Send log by parts”, it is checked by default. If the
    checkbox is enabled, the log will be sent in parts during collection, if disabled, then the
    log is first completely collected, and then completely sent to the panel
  • Cleaned stealer detection

From the Redline Stealer Members Group Chat profile details, the English bot selling RedLine Stealer on Telegram was located, and the interaction with the bot provided both weekly and monthly subscription prices, as well as Bitcoin and Litecoin addresses for where payment was to be sent before access.

Figure 4 : RedLine Stealer Members User Group Information

Figure 5 : Telegram Message Containing RedLine Stealer v21.2

Figure 6 : RedLine Stealer Bot Monthly Subscription

Figure 7 : RedLine Stealer Bot Lifetime Subscription

Figure 8 : Bitcoin and Litecoin Address for Subscription Payment

At the time of this report, both BTC addresses had a zero balance and no transactions. Once payment is submitted through the bot and Confirm is selected, you receive a message stating Transactions Possible within 10 minutes. Please wait.

RedLine Panel

The RedLine Stealer Control Panel login page, paths, targeted browsers, and grabbers were found within the Telegram file RedLine_21_2.rar.

Figure 9 : Panel Login

Figure 10 : Targeted Browsers User Path

The desktop and documents folder of user profiles was searched for files with the following extensions: txt, doc, key, wallet, and seed.

Figure 11 : Search of User Profile Desktop and Documents Folder

Figure 12 : Credential Grabber Configs for Applications, Screenshot, and FTP

Figure 13 : Instructions from C2 to RedLine Stealer

Appendix

Below are the markets and forums found buying or selling RedLine Stealer. Also included are the banks found in the panel that information is gathered from once a connection has been made to the Internet. The Money section includes the domain names that were found in the panel from which information gathered once a connection has been made to the site.

[For the appendix containing data listed above, please send a request to info@getdarktower.com]