A list of RedLine Stealer configurations was found on 19SEP2021 on Twitter, showing hashes, C2_proxy, and the encryption key. RedLine Stealer is a MaaS (Malware as a Service) found in forums and markets for sale.
- RedLine Stealer was first seen in 2020 and currently has active subscribers.
- RedLine Stealer is being sold as a Malware as a Service with monthly and lifetime subscriptions at a cost of $150 and $800, respectively, in Bitcoin or Litecoin.
- Found in multiple forums and markets with posts on clear and dark web sites to buy and/or sell RedLine Stealer.
- This malware family is like other stealers such as Raccoon Stealer and other Trojans.
- Malware is sent via unsolicited email and/or social media direct message targeting 3D artists, streamers, and financial advisors, generally in North America and Europe.
- The control panel reveals that, once connected, a compromised machine will collect credentials and other information from a list of domain names to be sent back to its command and control.
After running the sample, Wireshark recorded communication with the IP addresses 194.23.139[.]70 (Telia—Sweden) and 52.202.42[.]171 (Amazon AWS—U.S.).
Although the sample attempted to reach out to IP address 194.23.139[.]70, there was no connection or payload dropped. With IP address 52.202.42[.]171, we made a connection with an nginx server default page.
Figure 3 : Server Landing Page from IP address 52.202.42[.]171
RedLine Stealer Telegram
RedLine Stealer was also observed in the Telegram Group Chat Redline Stealer Members, where a file was posted named RedLine_21_2.rar on 11SEP2021, along with the message REDLINE STEALER v21.2 update from 09/11/2021 (translated from Russian). The message reads as follows:
- In the Builder tab there is a function to select a method for sending a log, next to the
“Build stealer” button is a checkbox “Send log by parts”, it is checked by default. If the
checkbox is enabled, the log will be sent in parts during collection, if disabled, then the
log is first completely collected, and then completely sent to the panel
- Cleaned stealer detection
From the Redline Stealer Members Group Chat profile details, the English bot selling RedLine Stealer on Telegram was located, and the interaction with the bot provided both weekly and monthly subscription prices, as well as Bitcoin and Litecoin addresses for where payment was to be sent before access.
Figure 4 : RedLine Stealer Members User Group Information
Figure 5 : Telegram Message Containing RedLine Stealer v21.2
Figure 6 : RedLine Stealer Bot Monthly Subscription
Figure 7 : RedLine Stealer Bot Lifetime Subscription
Figure 8 : Bitcoin and Litecoin Address for Subscription Payment
At the time of this report, both BTC addresses had a zero balance and no transactions. Once payment is submitted through the bot and Confirm is selected, you receive a message stating Transactions Possible within 10 minutes. Please wait.
The RedLine Stealer Control Panel login page, paths, targeted browsers, and grabbers were found within the Telegram file RedLine_21_2.rar.
Figure 9 : Panel Login
Figure 10 : Targeted Browsers User Path
The desktop and documents folder of user profiles was searched for files with the following extensions: txt, doc, key, wallet, and seed.
Figure 11 : Search of User Profile Desktop and Documents Folder
Figure 12 : Credential Grabber Configs for Applications, Screenshot, and FTP
Figure 13 : Instructions from C2 to RedLine Stealer
Below are the markets and forums found buying or selling RedLine Stealer. Also included are the banks found in the panel that information is gathered from once a connection has been made to the Internet. The Money section includes the domain names that were found in the panel from which information gathered once a connection has been made to the site.
[For the appendix containing data listed above, please send a request to email@example.com]