We use cookies to improve your experience. Do you accept?

All About High-in-Demand Information Theft Tool: RedLine Stealer

All About High-in-Demand Information Theft Tool: RedLine Stealer - Featured Image

Research and Analysis Jun 1, 2022

Origin: February 2020

Aliases: Win.redline_stealer, Redline

Targeted Sectors: IT, Financial

Targeted Regions: North America, Western Europe, and Eastern Europe

Motive: Data Theft

Common Infection Vectors: Phishing,**** Social Engineering

Introduction

Developed by a programmer dubbed REDGlade, RedLine Stealer is one of the prominent and most widely used information-stealing malware today. According to a report from Insikt Group, it is one of the major and the largest providers of stolen credentials for two underground markets: Amigos Market and Russian Market. Its trade has been observed on underground marketplaces through a series of YouTube videos around the top global trends interest such as NFTs.

The low-cost stealer malware was probably first advertised on cybercriminal forums in February 2020, as a Malware-as-a-Service (MaaS), but came to the notice of Proofpoint researchers only in March 2020. It not only steals passwords, credit card information, and other sensitive data but can also open the gateway for other ransomware, trojans, cryptocurrency miners, and RATs.

Attack Methods

RedLine Stealer is known for trojanizing popular services such as Telegram (using social engineering tactics such as COVID-19 lures), Signal, and Discord (disguised as Windows 11 installers). It also leverages email phishing campaigns, Google Ads (for ranking malicious websites), and experiments with social engineering tactics aimed at NFT enthusiasts.

2020

  • During its first notable campaign in March 2020, a phishing email was trying to take advantage of the Coronavirus pandemic to spread the stealer primarily targeting healthcare and manufacturing industries in the U.S. Threat actors abused MSBuild to deploy RATs and information-stealing malware, including RedLine.

  • In July, a malware campaign was detected using a malicious document used to deliver AutoIt scripts, which eventually infected users with CyberGate RAT and RedLine Stealer.

  • In October, threat actors were observed abusing the paste.nrecom[.]net service to deliver several malware, including AgentTesla, LimeRAT, Ransomware, and RedLine Stealer.

2021

  • In June 2021, malicious pay-per-click ads were observed in Google’s search results, leading the victims to RedLine Infostealers.

  • In July, a fake website was seen delivering Smoke Loader that subsequently downloaded the RedLine Stealer while masquerading as a ‘Privacy Tool.’

  • In November, a cryptocurrency-related campaign was found abusing a legitimate Russian RAT tool called TeamViewer with SpyAgent that also downloaded the RedLine Stealer.

  • Another campaign in the month was offering fake installers of popular software to bait users, infecting them with RedLine Stealer.

  • End of December witnessed the stealer with stolen 441K accounts used against different online services, according to a data breach notification service Have I Been Pwned.

2022

  • In February 2022, cybercriminals were delivering RedLine Stealer disguised as the Windows 11 Upgrade installer to lure victims.

  • In March 2022, Microsoft confirmed that a threat group known as LAPSUS$ was able to gain access to the source code of some of its internal projects, including Bing, Cortana, and Bing Maps, by deploying the RedLine Stealer.

  • In the same month, Okta also declared that Lapsus$ group was able to compromise over 366 corporate customers by leveraging RedLine malware.

  • In April, ZingoStealer malware was discovered with powerful data-stealing features, with the ability to load additional payloads including the RedLine Stealer.

  • One more campaign founded in April used the RIG Exploit Kit (EK) to spread RedLine Stealer targeting by exploiting an Internet Explorer vulnerability.

  • A new attack chain spotted in May abused Discord’s CDN to spread SYK Crypter, which eventually dropped the RedLine Stealer.

  • A week later, a cybercriminal group was reported dropping the potent RedLine Stealer via fake Binance NFT mystery box bots.

Availability and Attack Profile

Looking at its business model, the threat group behind RedLine Stealer may have no other goal than generating revenue by offering the malware to more and more groups. The RedLine Stealer is available for sale on several dark web forums, in different packages. It was observed on the RedLine Telegram official channel with an offer of monthly ($100), weekly ($150), and lifetime subscriptions ($800). The price depends on the version of the stealer as well. Additionally, the buyer needs to make the payment in Ethereum, Bitcoin, XMR, USDT, or LTC. Owing to its low-cost factor, the malware could also be noticed in multiple smaller campaigns run by individual attackers.

Since this is a commercially available malware, targeted industries and organizations are completely dependent on the person buying and using it. Commonly targeted sectors include healthcare and information technology, while the most targeted regions include North America, Western Europe, and Eastern Europe.

Notable attacks

  • In October 2021 attackers used social engineering and phishing emails to compromise YouTube creators with information-stealing malware including the RedLine Stealer.

  • In January 2022, a new variant of the RedLine was distributed using emails with a fake COVID-19 Omicron stat counter app as bait, targeting victims across 12 countries, without focusing on any specific individual or organization.

  • Zscaler reported a crypto scam in February that was using social engineering to deliver Dark Crystal RAT that led to RedLine Stealer infection.

  • In March, a malware campaign was using the Valorant cheat as lures on YouTube to fool the players into downloading the RedLine Stealer.

Prevention and Mitigation

In a finding, a researcher reported vulnerabilities in RedLine Stealer malware, patching which can help stop the malware from infecting users’ devices. Furthermore, since phishing and social engineering are its primary methods of propagation, the initial line of defense is staying alert whenever receiving suspicious emails and downloading software from third-party sources. Organizations must protect sensitive information with adequate/ restricted access control to users, and ensure the use of robust encryption for protecting the information with efficient security infrastructure.

More importantly, organizations must adopt modern threat alert sharing solutions to receive the latest threat updates including information on the latest malware indicators of compromise (IOCs). Leveraging such solutions will equip them with constant and reliable situational awareness against threats.

Conclusion

At present, RedLine Stealer is being actively used by several cybercriminals in their campaigns. The malware developers are making continuous efforts in updating its versions and modifying them as per different subscription-based models, making it affordable for threat groups of all sizes. This also makes RedLine a versatile threat.

Indicators of Compromise

SHA256

Cd3f0808ae7fc8aa5554192ed5b0894779bf88a9c56a7c317ddc6a4d7c249e0e

38a5b96fd07f03041f6eff913b85fc621fa314e1de87326accb00ee218c37756

|020fbe48b4da34a90d3422f211aa0338681a7cb9e99292b2b9d738a354ed97de

c6d48514031cc6e83445b95f9ed4e975f2cdcebc2e9cc1914605058ff7af7764

9ac01cc861cfe9e340c66a5cd527ab8a7e3de345b851ebcf07a7ca08eeee2f88

c8b42437ffd8cfbbe568013eaaa707c212a2628232c01d809a3cf864fe24afa8

501fe2509581d43288664f0d2825a6a47102cd614f676bf39f0f80ab2fd43f2c

891aba61b8fec4005f25d405ddfec4d445213c77fce1e967ba07f13bcbe0dad5

216a733c391337fa303907a15fa55f01c9aeb128365fb6d6d245f7c7ec774100

73942b1b5a8146090a40fe50a67c7c86c739329506db9ff5adc638ed7bb1654e

2af009cdf12e1f84f161a2d4f2b4f97155eb6ec6230265604edbc8b21afb5f1a

bf31d8b83e50a7af3e2dc746c74b85d64ce28d7c33b95c09cd46b9caa4d53cad

b8ebdc5b1e33b9382433151f62464d3860cf8c8950d2f1a0278ef77679a04d3b

8d7883edc608a3806bc4ca58637e0d06a83f784da4e1804e9c5f24676a532a7e

1b4fcd8497e6003009010a19abaa8981366922be96e93a84e30ca2885476ccd7

fdeadd54dd29fe51b251242795c83c4defcdade23fdb4b589c05939ae42d6900

af4bf44056fc0b8c538e1e677ed1453d1dd884e78e1d66d1d2b83abb79ff1161

fcc49c9be5591f241ffd98db0752cb9e20a97e881969537fba5c513adbd72814

f9246be51464e71ff6b37975cd44359e8576f2bf03cb4028e536d7cfde3508fc

eef15f6416f756693cbfbfd8650ccb665771b54b4cc31cb09aeea0d13ec640cf

bf7b5f72b2055cfc8da01bb48cf5ae8e45e523860e0b23a65b9f14dbdbb7f4ee

aae0553b761e8bb3e58902a46cd98ee68310252734d1f8d9fd3b862aab8ed5c9

929a591331bdc1972357059d451a651d575166f676ea51daaeb358aa2a1064b7

6abbd89e6ab5e1b63c38a8f78271a97d19bafff4959ea9d5bd5da3b185eb61e6

4ed7609cbb86ea0b7607b8a002e7f85b316903c3b6801240c9576aae8b3052ff

4554dc95f99d6682595812b677fb131a7e7c51a71daf461a57a57a0d903bb3fa

14e7cc2eadc7c9bac1930f37e25303212c8974674b21ed052a483727836a5e43

MD5

af90600728c9d3d1270dd4da39a0f9e5

d81d3c919ed3b1aaa2dc8d5fbe9cf382

d6e630749bdd4f16c37ca15886fc6bdc

ce70574f6c90835076d9b195e90cd275

10adb0969eb2b385d6bb8ad8e91bb0c4

0adb0e2ac8aa969fb088ee95c4a91536

0C79BEE7D1787639A4772D6638159A35

C2 server

46[.]8[.]19[.]196:53773

C2 host

185[.]215[.]113[.]121

RedLine Stealer initial sample

355d67437448ef5b5ce78ea43dc0eb17

RedLine Stealer final stage

877a637058b7a7397ce2d329f63238a1

URLs

hxxps://me.anydesk-pro[.]com/

hxxps://desklop.telegram-home[.]com/

hxxps://pc.anydesk-go[.]com/

hxxps://desklop.anydesk-new[.]com/

hxxps://desklop.pc-whatisapp[.]com/

C2 - Redline Infostealer

jasafodidei[.]xyz:80

ISO - Redline Infostealer ZIP Files

C249E79B05D3385A50BD0D54881B59BD

76118B65F29856DB2ABECD1193D08CF1

Domains

userauto[.]space

22231jssdszs[.]fun

hssubnsx[.]xyz

dshdh377dsj[.]fun

Related Threat Briefings