Threat Research

“Unraveling the Crooked RedLine: A Deep Dive into the Infamous Infostealer’s Backend”

ESET-welivesecurity

Law enforcement led Operation Magnus dismantled the RedLine Stealer MaaS and its clone META Stealer by seizing servers and domains and arresting suspects, though some RedLine components may continue to operate temporarily due to existing panels and cracked copies. ESET’s analysis of backend modules and panels reveals the operation’s infrastructure, build process, dead-drop resolver usage, and links between RedLine and META. #RedLine #META

Keypoints

  • Operation Magnus (Oct 28, 2024) resulted in seizure of servers/domains and arrests tied to RedLine Stealer and META Stealer.
  • ESET and partners previously disrupted GitHub-based dead-drop resolvers for RedLine in April 2023 and later analyzed backend modules.
  • Researchers identified over 1,000 unique IPs hosting RedLine control panels and multiple backend servers across several countries.
  • RedLine’s 2023 versions used WCF over TCP; the 2024 edition moved to a REST API (Nodes.Api) over HTTPS and consolidated backend modules.
  • Affiliates buy or crack RedLine panels to generate malware samples; the backend builds, obfuscates, and signs samples (self-signed or stolen certificates).
  • Evidence in source code and shared certificates shows RedLine and META Stealer likely share the same creator/operators.

MITRE Techniques

  • [T1583.003] Acquire Infrastructure: Virtual Private Server – Instances of the RedLine back end are hosted on leased virtual private servers. [‘Instances of the RedLine back end are hosted on leased virtual private servers.’]
  • [T1583.004] Acquire Infrastructure: Server – Instances of the RedLine back end are hosted on servers that appear to be exclusive to RedLine. [‘Instances of the RedLine back end are hosted on servers that appear to be exclusive to RedLine.’]
  • [T1587.001] Acquire Infrastructure: Web Services – Operators created multiple GitHub accounts and repositories used as dead-drop resolvers. [‘Operators of RedLine have created multiple GitHub accounts and repositories.’]
  • [T1587.002] Develop Capabilities: Malware – Operators developed malware families, control panels, and back-end servers for RedLine. [‘Operators of RedLine have developed their own malware families, control panels, and back-end servers.’]
  • [T1588.003] Develop Capabilities: Code Signing Certificates – The backend automatically generated self-signed certificates when creating samples. [‘The RedLine back end automatically generates self-signed certificates when creating samples.’]
  • [T1608.002] Obtain Capabilities: Code Signing Certificates – RedLine panels were signed with valid certificates issued to AMCERT,LLC. [‘RedLine panels are signed with valid certificates issued to AMCERT,LLC.’]
  • [T1608.001] Stage Capabilities: Upload Malware – Back-end components and builds are uploaded to private servers for affiliates. [‘Back-end components of RedLine are uploaded to private servers.’]
  • [T1622] Debugger Evasion – The RedLine panel terminates itself if it detects a debugger or analysis tools. [‘The RedLine panel automatically terminates itself if it detects a debugger or analysis tools.’]
  • [T1027.002] Obfuscated Files or Information: Software Packing – Panels and samples are packed using DNGuard and BoxedApp (and later .NET Reactor). [‘Samples of the RedLine panel are packed using DNGuard and BoxedApp.’]
  • [T1132.001] Data Encoding: Standard Encoding – RedLine uses extensive base64 and WCF binary encoding in communications. [‘RedLine makes extensive use of base64 encoding in its network communications.’]
  • [T1573.001] Encrypted Channel: Symmetric Cryptography – Communications and some dead-drop files use AES encryption. [‘Communications between the panel and back-end server use AES encryption.’]
  • [T1573.002] Encrypted Channel: Asymmetric Cryptography – Communications and dead-drop content may use RSA encryption. [‘Communications between the panel and back-end server use RSA encryption.’]
  • [T1071.001] Application Layer Protocol: Web Protocols – Recent versions communicate via a REST API over HTTPS (Nodes.Api). [‘Network communication in recent versions is done via a REST API over HTTPS.’]
  • [T1095] Non-Application Layer Protocol – Older versions used WCF over TCP for component communication. [‘Network communication is done with the WCF Framework over TCP.’]
  • [T1102.001] Web Service: Dead Drop Resolver – GitHub repositories were used as dead-drop resolvers to obtain backend server addresses. [‘The RedLine panel uses GitHub repositories as dead-drop resolvers to obtain the address of back-end servers.’]
  • [T1571] Non-Standard Port – Default Guest Links HTTP server runs on port 7766; builders and services use ports like 8778 and 6677. [‘By default, the RedLine panel’s Guest Links functionality runs an HTTP server on port 7766.’]

Indicators of Compromise

  • [SHA-1 hashes] Backend and panel samples – 1AD92153B56FC0B39F8FCEC949241EC42C22FA54 (Nodes.Api.exe), FB3ABAC1FAC852AE6D22B7C4843A04CE75B65663 (Panel.exe), and many other hashes listed in the ESET repository.
  • [Filenames] Build and module names seen in samples – Nodes.Api.exe, RedLine.MainPanel.exe, Panel.exe (META/RedLine).
  • [Domains] Backend REST servers – fivto[.]online (RedLine backend), spasshik[.]xyz (META backend).
  • [Certificate thumbprint] Suspected signing certificate – 28F9A8E7601F5338BF6E194151A718608C0124A8 (used to sign many RedLine samples).
  • [Ports] Network/service ports – port 8778 (LoadBalancer listener), default C2 port 6677 (builder default), Guest Links HTTP server 7766.
  • [Files/config] Dead-drop resolver files – nodes.config, nodesUpdate.config (encrypted lists of backend server addresses hosted in GitHub repos).

Operation Magnus disrupted a widely used malware-as-a-service ecosystem by seizing infrastructure, arresting suspects, and taking down domains tied to RedLine Stealer and its clone META Stealer. ESET’s reverse engineering of backend modules and panels—ranging from the WCF-based 2023 architecture to the REST-based Nodes.Api in 2024—shows how operators provisioned affiliates, built and obfuscated samples, used dead-drop resolvers (GitHub and later hardcoded URLs), and handled licensing and signing.

The analysis uncovered insecure practices (plain-text password storage, default build tokens), automated build pipelines that generate self-signed certificates, and mechanisms that enabled affiliates to automate exfiltration via Telegram bots and customizable filters. Network telemetry revealed over a thousand unique panel-hosting IPs and multiple backend servers distributed across several countries, while code and certificate reuse tie RedLine and META to the same operators.

Although the takedown significantly disrupted operations and removed key servers/domains, running panels, leaked/cracked copies, and already-built samples mean RedLine activity may persist transiently. The detailed breakdown of modules, endpoints, and operational practices should help defenders detect remnants, prioritize IOCs, and understand how affiliates generated and managed malicious builds.

Read more: https://www.welivesecurity.com/en/eset-research/life-crooked-redline-analyzing-infamous-infostealers-backend/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint