First observed in 2020 and advertised on various cybercriminal forums as a ‘Malware-as-a-Service’ (MaaS) threat, Redline is an information stealer mainly targeting Windows’ victim credentials and cryptocurrency wallets, as well as Browser information, FTP connections, game chat launchers, and OS information such as system hardware, processes names, time zone, IP, geolocation information, OS version, and default language.
Over the past year, Redline was added with additional features and is capable to load other malware software and run commands while periodically sending updates to its C2 of new information related to the infected host.
Lacking an out-of-the-box distribution method, recently observed Redline incidents appear to begin with the delivery of malicious document attachments sent via an indiscriminate unsolicited email (malspam) campaign, Twitter, and Instagram Direct Messaging. Mostly targeting service or content providers individuals such as 3D artists and streamers, financial advisers, and more based mostly in North America and Europe.
As for this moment, Redline can be purchased through Redline telegram official channel (Figure 1), when offering a monthly, weekly, and lifetime subscription for the prices of 100$, 150$, and 800$ respectively, paid in Bitcoin, Ethereum, XMR, LTC, and USDT.
Figure 1: Redline Telegram official channel.
Using third-party tools to deploy the threat, such as cryptors or packers to thwart signature-based detection is no concern for the threat actors as the subscription comes with free cryptor as a package (Figure 2).
Figure 2: Redline purchases options.
Those tools are praised for the high level of service, and their management dashboard, much like the malware element, is reportedly straightforward to use. Notably, based on the analysis of recent samples and a changelog posted on the threat actor’s Telegram channel, the most recent release of Redline is version 20.2 (Figure 3) and introduced support for additional stolen data management options, notification management, logging, and bugs fixed which indicates the dedication and ongoing development of the product.
Figure 3: Redline 20.2 release notes
Redline Control Panel
Redline subscribers have access to a local control panel from which they can generate and/or manage campaign configurations, build Redline malware payloads, and view data stolen from victims.
Displayed in English by default, visitors to the control panel are prompted to login using the username and password (Figure 4) they presumably received when subscribing.
Figure 4: Redline Login window.
Credential verification is done via SOAP over HTTP POST request to a centralized authentication server stored in licensechecklive[.]xyz:8778. The request is uploaded to /IMainServer path with the attached SOAP envelope, containing the encoded login information and subscription ID (Figure 5).
Figure 5: Redline Dashboard login attempt.
Although access to this control panel requires an active Redline subscription and credentials, cracked versions of Redline dashboard has been leaked on several underground forums and git repositories over the last 6 months, providing the ability to use the dashboard to create and monitor Redline builds without the initial investment, causing this threat to become even more popular (Figure 6).
Figure 6: Redline leaked version post.
Notably, the control panel uses XML and text file resources that can be accessed without authentication and allow some of the current functionality to be determined. Furthermore, Redline 20.2 package includes text related to the user FAQ sections, both in English and Russian (Figure 7).
Figure 7: Redline Panel Files List
As mentioned, Redline panel makes use of three resource files for build operation:
chromeBrowsers.txt
geckoBrowsers.txt
Panel.exe.config
While the text files contain all paths possible for the targeted browsers information (Figure 8), the main configuration for the stealer itself is explicit in the config file, such as Grabber functionality regex (Figure 9), domains relevant for session hijacking (Figure 10), Telegram Bot configuration for notifications (Figure 11) and applications checklist to steal credentials from (Figure 12). Notably, the panel can modify the configuration files to fit the threat actor interest and will be used by the stealer.
Figure 8: Targeted browsers data paths
Figure 9: Regex setting for grabbing txt, doc, key, wallet and seed files.
Figure 10: Domains targeted for session hijacking.
Figure 11: Telegram Bot configuration
Figure 12: Applications, screenshot and FTP credentials grabbing configuration.
Simplicity is the main virtue of Redline. Its control panel contains an intuitive menu (Figure 13) which its main fields are Logs received from the stealers, the Builder compiling the stealer’s samples, and Loader Tasks, which enables setting new tasks to the stealers such as running a cmd command, downloading and executing a file and open a link.
Figure 13: Redline Panel Menu
Redline Stealer
Command & Control
Although packing and distribution may vary between Redline stealers, the result remains the same. Based on the intelligence gathered from the Redline Stealer control panel and stealers samples found in the wild, on execution, each stealer attempts to communicate with predefined and hardcoded one or more servers via SOAP over HTTP POST request for further instructions (Figure 14) by posting to /Endpoint/EnvironmentSettings.
Figure 14: C2 first connectivity.
In response, the C2 server sends a SOAP envelope XML configuration containing information for the stealer to search (Figure 15), for example:
ScanChromeBrowsersPaths and ScanGeckoBrowsersPaths containing paths to targeted browsers.
ScanFilesPaths containing file types to look for in the users Desktop and Documents.
Figure 15: Response instructions from the C2 to the stealer
Data Theft
The flexibility of Redline stealer enables the variety of potential content to steal and is not bound to serve one purpose only. However, the default setting includes the following as identified from recently analyzed samples:
Browsers: Google Chrome, Mozilla Firefox, Opera and those that are Chromium-based including Microsoft Edge.
Cryptocurrency Wallets: Redline searches for the commonly used filename wallet.dat
OS information: Processes, Windows versions, Credentials.
Geolocation: city, country, zip code and IP using hxxps://api[.]ip[.]sb/geoip.
Having completed both the data theft and information gathering stages, Redline generates an exfiltration XML Envelope SOAP message and uploads it to the C2, without using an encryption method, via an HTTP POST request to the path /Endpoint/SetEnvironment (Figure 16).
Figure 16: Redline Stealer uploads stolen data to C2
Having completed both the data theft and information gathering stages, Redline generates an exfiltration XML Envelope SOAP message and uploads it to the C2, without using an encryption method, via an HTTP POST request to the path /Endpoint/SetEnvironment (Figure 16).
Recommendations
Employee security awareness training remains an essential step in helping them identify and be suspicious of unsolicited emails and phishing campaigns, unusual communications via social media, especially messages with embedded links or file attachments that could lead to the deployment of additional malicious payloads.
Multi-factor authentication should be implemented wherever possible to limit the effectiveness of any stolen credentials.
Employees should be reminded of the risks associated with credential reuse and weak passwords supported by password policies to encourage best practice.
Ensure that email security controls are applied to limit the delivery of potentially malicious attachments or links to end-users, as well as implementing protocols and security controls such as DKIM, DMARC and SPF.
Continuous monitoring of unusual endpoint behaviors, such as requests to low reputation domains, can indicate compromise early.
Those who are using cryptocurrencies should consider the use of hardware-based wallets and ensure that payment addresses are verified before submitting a transaction.
Indicators of Compromise
SHA256 Files Hashes
The following samples were observed in August 2021 and may be beneficial for those seeking to further understand the nature of this threat:
