Do Not Cross The 'RedLine' Stealer: Detections and Analysis

By Splunk Threat Research Team June 01, 2023

RedLine Stealer is a malware strain designed to steal sensitive information from compromised systems. It is typically distributed through phishing emails, social engineering tactics, and malicious URL links.

Since it was released, threat actors and adversaries have leveraged RedLine Stealer because of its availability and flexibility for stealing credentials that can cause financial loss and data leakage. In 2020, there was a RedLine campaign that targeted both enterprise and personal devices. Many industries received these malicious campaigns, but the most impacted was the Healthcare and manufacturing sectors. Recently this year (May 10, 2023), there was a RedLine campaign found by stormshield that used a malicious chrome extension that will download several malware like Smoke Loader and Amadey Trojan. Amadey malware is a botnet that is being used now to distribute RedLine malware to steal data such as browser credentials, crypto wallets and even credit card information.

This malicious software has been in the top malware sample shared for months on anyrun statistics reports as well as in Malware bazaar.

In this blog post, the Splunk Threat Research Team provides a deep dive analysis of this threat and valuable insights to enable blue teamers to defend and detect this malware variant.

Blog details include:

• Analysis of the phishing URLs
• The RedLine Loader
• The RedLine Stealer Capabilities
• Splunk Security Content

Spear Phish Link Data

The operators behind RedLine Stealer use several techniques to gain initial access to their victims. One common initial access technique that this Trojan Stealer uses is a phishing URL link. To gain more insight on how this malware executes its campaign, the Splunk Threat Research Team (STRT) collected 90 days of URL data from URLhaus and used Jupyter Notebooks to analyze the dataset to identify trends of the RedLine URL links. Figure 1 shows the list of URLs from the data related to RedLine Stealer. Based on URL tags, we can see that this Trojan is also bundled, downloaded or dropped by other malware like Amadey or SmokeLoader.

^{Figure 1}

Using the URLhaus dataset, we can also learn that RedLine Stealer abuses several known legitimate file/code sharing and collaboration platforms for its campaigns. Figure 2 shows the top 20 domains that RedLine Stealer used to host its malware. Based on the list below, the most commonly abused legitimate file sharing domains are GitHub, Dropbox, Discord, Bitbucket, OneDrive and Google Drive.

The use of these legitimate platforms allows threat actors or adversaries to evade detections or to blend in its C2 communication with other normal network traffic so security solutions will not raise any red flags or detection alerts.

^{Figure 2}

In the following section, we explore a recent RedLine Loader used, the defense evasion technique and RedLine Stealer capabilities.

Self Extractor Loader

The Splunk Threat Research Team found an interesting RedLine Stealer Loader that was compiled as Win32 Cabinet self extractor executable (wextract) (1) (2). This self-extracting archive is a type of compressed file that contains multiple files and can be executed as a program. When a user runs a self-extracting archive, the contents of the archive are extracted to a specified location on the system.

Figure 3 shows a simple flow diagram of how RedLine Stealer uses a loader in the form of a self-extracting archive (.exe) to initiate its infection. This loader then executes two more self-extracting archive executables that are responsible for decrypting a shellcode to load the Amadey Trojan and two instances of the RedLine Stealer malware onto the system. Additionally, the loader also executes a .NET executable that is responsible for defense evasion.

^{Figure 3 (For a larger resolution of this diagram visit this link)}

Defense Evasion Component

As described in Figure 3, the Redline Loader will also load an executable named it532878.exe, which is a .NET executable that is responsible for defense evasion. Figure 4 shows the code snippet of this RedLine component that will do the following:

1. Escalate its privilege as administrator or trustedinstaller
2. Try to disable Windows Defender service "WinDefend"
3. Try to disable Tamper Protection settings of Windows Defender.
4. Try to Disable AntiSpyware, Real Time Protection and notification of Windows Defender.
5. Disable Windows update services such as ("wuauserv", "WaaSMedicSvc", "UsoSvc")
6. Disable Automatic Update and change Windows configurations related to Windows Update

^{Figure 4}

RedLine Stealer Deep Dive

C2 Connection Check

RedLine Stealer is designed to be stealthy and avoid detection by security software. Therefore, it typically starts by decrypting its initial configuration data, which is often encoded or encrypted to prevent detection. It starts its code by decrypting its initial configuration that the malware needs to connect to its Command and Control (C2) server and receive instructions on how to operate. This includes the domain or IP address of the C2 server, as well as the connection IDs and keys that are used to establish a secure connection. Figure 5 shows the code of the decryption algorithm used by RedLine Stealer to decrypt its initial configuration data which is a combination of Base64 and XOR functions.

^{Figure 5}

Once the initial configuration data has been decrypted, it will constantly check its bind connection to its C2 server to download further command arguments or other configuration settings that will dictate what functionality will be enabled for its malicious client file.

Figure 6 shows the code of RedLine that consistently checks the connection of its client malware to the C2 server. If the connection fails, It will break and throw an exception. If the C2 server is already down or offline during analysis, this piece of code can be considered an anti-sandbox technique because RedLine will not continue its execution.

^{Figure 6}

After establishing a connection to its C2, it will fetch another configuration setting data from its C2 server that will fill the ScanningArg() class, which is a data structure of boolean variables that will serve as a switch to RedLine functionality.

Figure 7 shows the snippet of ScanningArg() class data member of RedLine which accepts either ON or OFF (True or False) values to enable the chosen RedLine settings or functions.

^{Figure 7}

RedLine Capabilities

RedLine Stealer has several features that will be executed depending on the configuration setting it downloaded from its C2 to steal information from the compromised or targeted host. Figure 8 is the screenshot showing several function capabilities of RedLine that we renamed during our analysis.

^{Figure 8}

Gather System Information

As stated earlier, RedLine Stealer has the ability to collect or extract various types of system information from a targeted or compromised computer. The information that this malware can retrieve may be sensitive and can potentially compromise the security and privacy of the affected system.

To provide a more detailed explanation, the table summary below shows each of the functions of the RedLine Stealer malware and describes the specific information that each function attempts to gather.

Function name (renamed)	Description
func_GetHostSerialNumber()	Retrieve the user domain name, username and host serial number (without "-") and convert it into a MD5 hash
func_GetExecutingAssembly()	Get the full file path of its running malware sample
func_GetLanguageTimeZoneOsVersion()	Retrieves system default language, timezone and OS version
func_GetUserName()	Get the user name of the compromised host
func_GetProcessor()	Get processor information of the compromised host by executing "SELECT * FROM Win32_Processor"
func_GetGraphicCards()	Get AdapterRAM and Graphic Card Name and type by executing "root\\CIMV2", "SELECT * FROM Win32_VideoController"
func_GetBrowsers()	Parse browser application and browser version installed in the compromised host by querying "SOFTWARE\WOW6432Node\Clients\StartMenuInternet" or "SOFTWARE\Clients\StartMenuInternet" registry
func_GetTotalRAM()	Get the total RAM size of compromised host by executing "SELECT * FROM Win32_OperatingSystem" and look for "TotalVisibleMemorySize"
func_ListPrograms()	Parse all installed application in the compromised host by querying 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall' registry
func_GetFirewalls()	Parse firewall and Anti Virus Product install in the compromised host by running "SELECT * FROM ROOT\\SecurityCenter2" "SELECT * FROM ROOT\\SecurityCenter" "SELECT * FROM AntivirusProduct" "SELECT * FROM FirewallProduct" "SELECT * FROM AntiSpyWareProduct"
func_ListProcesses()	Retrieve process list and process information by running 'SELECT * FROM Win32_Process'
func_AvailableLanguage()	Get the install input language

Screen Capture

Based on one of the RedLine samples we analyzed, we saw that it has a functionality to capture a screenshot of the targeted or compromised host as part of its data collection and exfiltration. In Figure 9 above, the function we've renamed as func_ScanScreen() is the one responsible for this screen capture capability. RedLine uses .NET Graphics class CopyFromScreen Function() to transfer a bit block of color data from the screen to the Graphic drawing surface that will be saved in memory stream for data exfiltration.

^{Figure 9}

Cracking Browser Password

One of the powerful capabilities of this Trojan Stealer is cracking browser sensitive information like passwords, cookies, autofill and credit card information saved within the browser application. Figure 10 shows a simple diagram of how RedLine Stealer was able to decrypt the password saved in the chrome browser. It starts by locating and copying two specific file of Chrome profiles namely as "%userprofile%\Appdata\Local\Google\Chrome\User data\Local State" and "%userprofile%\Appdata\Local\Google\Chrome\User data\Default\Login Data" in the%temp% folder. Afterward it will read the copied "Local State" file to grab the encoded and encrypted master key to decrypt the password stored in the "Login Data". The master key is encoded with Base64 and encrypted using Windows CryptProtectData() API.

Once the master key is decrypted, it will parse the AES IV (Initialization vector) and the encrypted password in the copied "Login Data" database file to decrypt it using AES GCM algorithm. The decrypted password will be sent to its C2 Server as part of its data exfiltration.

^{Figure 10}

Looking For Browser Extensions

This malware can also steal wallet files by scanning Chrome wallet browser extensions. Figure 11 shows the RedLine Stealer code and how it enumerates several known Crypto Wallet directories and looks for files related to crypto currencies by looking for files having "wallet" substring on its file name.

^{Figure 11}

The table below shows some of the targeted Chrome browser extensions that RedLine Stealer tries to parse to look for Crypto Wallets. These extensions are popular among cryptocurrency users and are used to manage and store their cryptocurrency wallets' sensitive information.

Chrome Browser Extension Identification	Chrome Extension
ibnejdfjmmkpcnlpebklmnkoeoihofec	Tronlink
jbdaocneiiinmjbjlgalhcelgbejmnid	NiftyWallet
nkbihfbeogaeaoehlefnkodbefgpgknn	Metamask
afbcbjpbpfadlkmhmclhkeeodmamcflc	MathWallet
hnfanknocfeofbddgcijnmhnfnkdnaad	Coinbase
fhbohimaelbohpjbbldcngcnapndodjp	BinanceChain
odbfpeeihdkbihmopkbjmoonfanlbfcl	BraveWallet
hpglfhgfnhbgpjdenjgmdgoeiappafln	GuardaWallet
blnieiiffboillknjnepogjhkgnoapac	EqualWallet
cjelfplplebdjjenllpjcblmjkfcffne	JaxxxLiberty
fihkakfobkmkjojpchpfgcmhfjnmnfpi	BitAppWallet
kncchdigobghenbbaddojjnnaogfppfj	iWallet
amkmjjmmflddogmhpjloimipbofnfjih	Wombat
ffnbelfdoeiohenkjibnmadjiehjhajb	YoroiWallet
fhilaheimglignddkjgofkcbgekhenbh	AtomicWallet
nlbmnnijcnlegkjjpcfjclmcfggfefdm	MewCx
nanjmdknhkinifnkgdcggcfnhdaammmj	GuildWallet
nkddgncdjgjfcddamfgcmfnlhccnimig	SaturnWallet
fnjhmkhhmkbjkkabndcnnogagogbneec	RoninWallet

RedLine Stealer can also retrieve information related to the following:

1. VPN (Nord, OpenVPN, ProtonVPN) profiles
2. FileZilla credentials
3. Discord, Telegram and Steam Token Information

IOCs

Hash (SHA256)	Description
5112ff1b75d9c33d10efafcbacdb4e2116280c1f5f3e6b6a64b44279997d96ee	Redline stealer
8f45a89978ea72a7c3304c93cc56ac18087663ae33daa9f30f919652ba961175	loader
eb8a15b1a42127970e7facc6133131dcc073a201419d8cc88c3c316819d1c2a2	Redline stealer
afc48eabd725325d00324625eb9035c450d730c0b07d4d5a7246cbb1a3a443eb	lr657198.exe
2a4193dcb95c7307e0a4f5586446c1c4adad17733a102a40d0b9227649191ff9	zifq8846.exe
5f9eff953d7ca49f594a864517dfdf37950a41693e53b79aa3a5c396613031bc	kp356066.exe
52a52e958a0fef6aa14f27083f2d8675a20c2148be6456cacbda149411719b92	zigT1406.exe
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38	it532878.exe
5e82fc65d9dafc6da041e732597719aa9872bc82d8ff52c272277a1a49b8c9aa	jr663319.exe

Detections

The Splunk Threat Research Team has curated relevant detections and tagged them to the RedLine Stealer Analytic Story to help security analysts detect adversaries leveraging the RedLine malware.

For this release, we used and considered the relevant data endpoint telemetry sources such as:

• Process Execution & Command Line Logging
• Windows Security Event ID 4663, Sysmon, or any Common Information Model compliant EDR technology
• Windows Security Event Log
• Windows System Event Log
• Windows PowerShell Script Block Logging

We maximized the usage of Windows Security EventCode 4663 for this analytic story. An event that is logged whenever an attempt is made to access an object (such as files, registry or directories) in the Windows file system. This EventCode can be helpful to monitor suspicious processes accessing critical files or folders like browser databases for credential dumping and data collection.

As an example, we used this event to develop the analytic "Windows Query Registry UnInstall Program List'' that monitors suspicious processes accessing "uninstall registry". This registry is being abused by several malware and APT to list all installed applications in the compromised or targeted host.

`wineventlog_security` EventCode=4663
object_file_path="\\REGISTRY\\MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*" 
 | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name
object_file_path process_name process_path  process_id EventCode dest
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`

^{Figure 12}

Another analytic "Windows Credentials from Password Stores Chrome Login Data Access" detects suspicious non-Chrome processes accessing the "Login Data" database file of Chrome. Figure 13 shows how this analytic detects the simulated behavior of RedLine
Stealer, in Python script, in cracking browser sensitive information.

`wineventlog_security` EventCode=4663
object_file_path="*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
  AND NOT (process_path IN ("*:\\Windows\\explorer.exe",
"*:\\Windows\\System32\\dllhost.exe", "*\\chrome.exe"))       
 | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name
object_file_path process_name process_path  process_id EventCode dest
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`

^{Figure 13}

Overall, the RedLine Stealer analytic story introduces 25 detections across MITRE ATT&CK techniques.

Automated Playbooks

All of the detections associated with this analytic story create entries in the Splunk Enterprise Security risk index by default and can be used seamlessly with risk notables and the Risk Notable Playbook Pack. Additionally, the Automated Enrichment playbook pack would also work well with the output of any of these analytics.

Playbook	Description
Automated Enrichment	Moves the event status to open and then launches the Dispatch playbooks for Reputation Analysis, Attribute Lookup, and Related Tickets.
Identifier Reputation Analysis Dispatch	Detects available indicators and routes them to indicator reputation analysis playbooks. The output of the analysis will update any artifacts, tasks, and indicator tags.
Attribute Lookup Dispatch	Detects available entities and routes them to attribute lookup playbooks. The output of the playbooks will create new artifacts for any technologies that return information.
Related Ticket Search Dispatch	Detects available indicators and routes them to dispatch related ticket search playbooks. The output of the analysis will update any artifacts, tasks, and indicator tags.

Why Should You Care?

This blog enables security analysts, blue teamers and Splunk customers to identify RedLine Stealer malware by helping the community discover RedLine Stealer tactics, techniques and procedures that are being used by several threat actors and adversaries (APT). By understanding its behaviors, we were able to generate telemetry and datasets to develop and test Splunk detections designed to defend and respond against this threat.

Cyber defenders need to design and deploy effective monitoring capabilities that allow them to detect and respond to RedLine Stealer malware attacks.

Learn More

You can find the latest content about security analytic stories on GitHub and in Splunkbase. Splunk Security Essentials also has all these detections available via push update.

For a full list of security content, check out the release notes on Splunk Docs.

Feedback

Any feedback or requests? Feel free to put in an issue on GitHub and we'll follow up. Alternatively, join us on the Slack channel #security-research. Follow these instructions if you need an invitation to our Splunk user groups on Slack.

Contributors

We would like to thank Teoderick Contreras for authoring this post and the entire Splunk Threat Research Team for their contributions: Michael Haag, Mauricio Velazco, Lou Stella, Bhavin Patel, Rod Soto, Eric McGinnis, and Patrick Bareiss.