Cyfirma analyzes a new RedLine Stealer variant that is distributed as a counterfeit document inside a zip archive containing a batch script. The malware uses obfuscated PowerShell as a dropper, hides its payload, and exfiltrates stolen data to a C2 hosted at kosarrezanezhad2022.pserver.space. #RedLineStealer #BatchScript #PowerShell #MaaS #kosarrezanezhad2022pserverspace
Keypoints
- RedLine Stealer is distributed under the guise of fake documents or software, delivered via phishing.
- It employs multi-level obfuscation to evade detection.
- The dropper is an obfuscated PowerShell script; it copies legitimate PowerShell to the working directory and runs from there.
- The malware drops a hidden OS-protected executable (A1.exe) and runs it to carry out theft.
- RedLine Stealer can harvest credentials and data from web browsers, email clients, messaging apps, and financial/crypto sources.
- It collects system information (IP, location, software, certificates, VPN, documents) and exfiltrates at regular intervals to a C2 server located at 80.85.152.191:27465/kosarrezanezhad2022.pserver.space.
MITRE Techniques
- [T1566.001] Phishing – “The malware is originally distributed as a zip archive named installment-papers.zip, disguising as document related to a financial transaction and usually delivered to victim via phishing.”
- [T1204.002] Malicious File – “The batch file contains a meaningless long comment, to give a fuzzy look to the content of the file.”
- [T1027] Obfuscated/Compressed Files and Information – “The content of the file is obfuscated” (and noted obfuscation to avoid detection).
- [T1059.001] PowerShell – “obfuscated PowerShell script as dropper and to execute the malware.”
- [T1059.003] Windows Command Shell – “Upon executing the batch file, it launches a Windows command prompt (minimized) …”
- [T1564.001] Hidden Files and Directories – “The properties of the … bat.exe … is changed to the operating system protected file, that hides the executable”
- [T1555.003] Credentials from Web Browsers – “capable of extracting sensitive data from a wide range of sources such as web-browsers, email clients, messaging apps.”
- [T1082] System Information Discovery – “gathers system information including IP address, location, username, operating system version, system configuration.”
- [T1083] File and Directory Discovery – “searches the compromised system for the installed software, system certificates, connected phones data, VPN client, text and office documents, wallet, and seed information.”
- [T1518] Software Discovery – “Looks for the installed software, system certificates, connected phones data, VPN client…”
- [T1016] System Network Configuration Discovery – “system configuration” (network/configuration data).
- [T1102] Web Service – “C2 communication” with a remote server.
- [T1102.002] Bidirectional Communication – “The C2 sends the response against the request” (two-way exchange).
- [T1041] Exfiltration Over C2 Channel – “Exfiltrates the gathered data to the adversary at regular intervals.”
Indicators of Compromise
- [IP Address] C2 / Command and Control – 80.85.152.191
- [Domain] C2 Host – kosarrezanezhad2022.pserver.space
- [File Name] Archive – installment-papers.zip
- [File Name] Batch – installment-papers-𝘱𝘥𝘧.bat
- [File Name] Dropper – A1.exe
- [File Name] Dropper – Pumicate.exe
- [MD5 Hash] A1.exe – 28caece68c96bec864c5b61d09a8ad06
- [SHA-256 Hash] A1.exe – 197b50f15375335928e08c5cc5b6f50cd93864655237b8db85556d4057f3b988
- [MD5 Hash] installment-papers.zip – 8248867e6d42d41cfdea624f87e14fa6
- [SHA-256 Hash] installment-papers.zip – e0f0449aae4dc117e34517e8c83fd49faf2b379dc4f2fd35ff291dd5003864e2
- [MD5 Hash] installment-papers-𝘱𝘥𝘧.bat – b4c53eb42fac3e0c8770a4704171cfb6
- [SHA-256 Hash] installment-papers-𝘱𝘥𝘧.bat – f4f093e1c950a233464a6a17a2040630c9e4f69b282f4a34510b3de35d5723b0
- [MD5 Hash] Pumicate.exe – 6018d10792d2e5717b4e3aaff9310a6a
- [SHA-256 Hash] Pumicate.exe – 83db86d7872e467513f186adcc02f5408e50b6a3d3aa14cbf7dd5d1fb6affb34
- [Imphash] Pumicate.exe – f34d5f2d4577ed6d9ceec516c1f5a744