|Type of Malware||Infostealer|
|Date of Initial Activity||2020|
|Motivation||Gather information such as logins, passwords, autofill data, cookies and credit card details to proliferate malware, spam campaigns, fraudulent transactions and purchases, deceive people into transferring money, steal identities.|
|Attack Vectors||Infected email attachments, malicious online advertisements, social engineering, software ‘cracks’., and exploit kits|
RedLine Stealer is a trending Infostealer and was first observed in March 2020. Sold as a MaaS (Malware-as-a-Service), and often distributed via malicious email attachments, it has all the capabilities of modern infostealer – web browser information collection (credit card details, session cookies and autocomplete data), harvesting of cryptocurrency wallets, ability to download additional payloads, and more.
Targets Regular Users. The list of wallets targeted by RedLine stealer includes Armory, AtomicWallet, BitcoinCore, Bytecoin, DashCore, Electrum, Ethereum, LitecoinCore, Monero, Exodus, Zcash, and Jaxx. Targeted VPN clients are ProtonVPN, OpenVPN, and NordVPN. All Gecko-based and Chromium-based web browsers.
Tools/ Techniques Used
The vehicle used by criminals to disseminate the Redline stealer is the email. A malicious and convincing message is sent along with an URL responsible for downloading the binary file installed on the target machine. Healthcare (taking advantage of the COVID-19 situation) and manufacturing were two industry sectors affected by this threat in the last few months.
This malware is written in C# and uses a SOAP API to establish communication with its C2 server. This stealer takes advantage of the powerful features of the Telegram API to notify criminals about new infections in an easy way. After receiving a ping via a Telegram channel, criminals can interact with the Redline agent installed on the victim’s device using the C2 panel installed on a Windows machine.
The command and control server is also written in C# and its communication is based on a WSDL with a SOAP API to interact with the malicious agents. In addition, the C2 panel can execute additional payloads on the agents-side and even open specific URLs on the default web browser.
Although this malware is equipped with a lot of modern features also observed on stealers of this nature, Redline doesn’t use cryptography to create a secure channel when it communicates with the C2 server, and all the packets and data can be easily identified on the network layer by security appliances by creating customized rules to detect it.