RedLine info-stealer malware

Original Issue Date:- May 19, 2023

Virus Type:-info-stealer

Severity:- High

It has been reported that a critical info-stealing malware, named as “Redline info-stealer” is spreading as MaaS (malware-as-a-service) framework. The malware is distributed through phishing email campaign and tricked the users to click on files/attachments. The info-stealer malware is capable of stealing user data, credentials, information of crypto wallets, browser information, ftp accounts, VPN credentials etc. Moreover, details about victim’s compromised system such as geolocation, IP, OS etc. are also siphoned off to attacker. Recently it is being observed that the malware is being distributed through OneNote service also.

Fig.1 Applications targeted by RedLine (Source: CloudSEK)

The malware is developed through C# / .NET framework and disguises itself as a legitimate service on the compromised system. The binary has its configuration in the form of class which contains various fields for e.g., IP, Key, version etc. that are related to malicious operation. The malware utilizes base64 encoding scheme and XOR technique for the malware binary encoding/decoding and C2 communication. The malware also tries to obtain the region of compromised systems then it identifies IP from its configuration. The malware binary also loads DLLs for malicious activities. These are responsible for collecting browser data and screenshots of compromised system. The malware also uses WMI to get the system info such as username, browser, memory info.

Fig.2 Crypto Wallet Applications targeted by RedLine (Source: CloudSEK)

Moreover, the attacker C2 configuration also contains the cryptocurrency wallets list that are to be targeted and sensitive information to be sent to C2. The attacker can also run the additional malicious payloads such as RAT.

Fig.3 RedLine official channel using Telegram (Source: Security Boulevard)

Further, it is worth mentioning that Redline is being circulated through Telegram platform also because of its some favorable features towards attackers’ perspective.

Indicator of Compromise:

Hashes:

6cc44d98ce2fb628b25519eb2aa476b81c1dca23b4c11fb3f26951bba8e68d64
5be845902145831466d3b710541d2c5a53cfc50108126c8802b48226e89e1887
1365e7708c818aa8a3cbed2a295ce2d585c654d80b78b1e5b3af9f30c654a4fa
7701ee20f7c99aadf95e31bf775bf1614f66aea3e9f03dfadf5ee247ab8eb29c
1d18b3c7e5845a5c5cf519471a7b6ee354f848764b7c64b6f3ec59d0e3492e9b
710b3f75954a006368d8ebff83e35a8c815f26bdf2b58d62e1a5ffdbc88cd20f

SHA 1 Hashes:

61F9DBE256052D6315361119C7B7330880899D4C
ADCE7CA8C1860E513FB70BCC384237DAE4BC9D26
F6F1C1AB9743E267AC5E998336AF917632D2F8ED
6C404F19EC17609AD3AB375B613EA429E802F063

IP:

95.179.163[.]157
193.106.191[.]226
49.12.69[.]202
185.250.148[.]76
172.245.45[.]213

Domains:

tempuri[.]org/Entity/Id<1-24>
santaanarealtor[.]icu

Countermeasures:

Do not download and install applications from untrusted sources [offered via unknown websites/ links on unscrupulous messages]. Install applications downloaded from reputed application market only. Users must be aware while clicking on links during web search
Update software and operating systems with the latest patches. Outdated applications and operating systems are the targets of most attacks.
Don't open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization’s website directly through browser.
It is advised to block office applications from creating executable files.
Install ad blockers to combat exploit kits such as Fallout that are distributed via malicious advertising.
Prohibit external FTP connections and blacklist downloads of known offensive security tools.
All operating systems and applications should be kept updated on a regular basis. Virtual patching can be considered for protecting legacy systems and networks. This measure hinders cybercriminals from gaining easy access to any system through vulnerabilities in outdated applications and software. Avoid applying updates / patches available in any unofficial channel.
Restrict execution of Power shell /WSCRIPT in an enterprise environment. Ensure installation and use of the latest version of PowerShell, with enhanced logging enabled. Script block logging and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis. https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html
Establish a Sender Policy Framework (SPF) for your domain, which is an email validation system designed to prevent spam by detecting email spoofing by which most of the ransomware samples successfully reaches the corporate email boxes.
Application whitelisting/Strict implementation of Software Restriction Policies (SRP) to block binaries running from %APPDATA% and %TEMP% paths. Ransomware sample drops and executes generally from these locations.
Users are advised to disable their RDP if not in use, if required, it should be placed behind the firewall and users are to bind with proper policies while using the RDP.
Block the attachments of file types, exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf
Consider encrypting the confidential data as the ransomware generally targets common file types.
Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
Network segmentation and segregation into security zones - help protect sensitive information and critical services. Separate administrative network from business processes with physical controls and Virtual Local Area Networks.

References: