Keypoints
- RedEnergy stealer is a .NET malware family blending stealer and ransomware capabilities, distributed via FAKEUPDATES disguised as browser updates.
- The initial vector uses LinkedIn profile links to redirect victims to a malicious download page (www[.]igrejaatos2[.]org) that serves setupbrowser.exe.
- The infection runs in three stages: initial startup (masquerading as browser update), dropping temporary executables and establishing persistence, then downloading a final payload that performs encryption and cleanup.
- Dropped artifacts include tmp[xxxx].exe files in %USERPROFILE%AppDataLocalTemp; one decoy is a signed Google updater while another is the malicious payload (example hash cb533957f70b4a7ebb4e8b896b7b656c).
- Network activity includes DNS/C2 resolution to 2no[.]co, attempted downloads from a Discord CDN, and suspicious FTP access on OVH (user โalulogrofpโ), suggesting exfiltration and hosting reuse.
- Ransomware actions include encrypting files with the .FACKOFF! extension, modifying desktop.ini, deleting volume shadow copies and backups (vssadmin/wbadmin), dropping a batch file and the ransom note read_it.txt, and using RijndaelManaged for encryption.
MITRE Techniques
- [T1036] Masquerading โ The malware impersonates legitimate browser updaters to deceive users; [โmasquerades as part of a legitimate browser updateโ]
- [T1185] Browser Session Hijacking โ The stealer harvests browser-stored information and credentials; [โsteal information from various browsersโ]
- [T1070.006] Timestomp โ The campaign uses file/metadata manipulation and other evasion techniques to hinder analysis; [โTimestompโ]
- [T1560] Archive Collected Data โ Collected data is packaged/archived for exfiltration as part of stealer functionality; [โArchive Collected Dataโ]
- [T1027] Obfuscated Files or Information โ The .NET binary is intentionally obfuscated to evade detection and analysis; [โintentionally obfuscated by its authorโ]
- [T1562.001] Disable or Modify Tools โ The payload disables recovery and deletes backups/shadow copies to prevent remediation; [โvssadmin delete shadows /all /quiet & wmic shadowcopy deleteโ]
Indicators of Compromise
- [Domain] Download and staging โ www[.]igrejaatos2[.]org (setupbrowser.exe), cdn.discord[.]com (hosted final payload)
- [Domain] C2/DNS โ 2no[.]co (DNS resolution/C2 communication)
- [File Hashes] Payload examples โ cb533957f70b4a7ebb4e8b896b7b656c (dropper/malicious tmp.exe), fb7883d3fd9347debf98122442c2a33e (main payload), and 1 more hash
- [File Names] Executables โ setupbrowser.exe (initial downloader), SystemPropertiesProtection.exe (final payload downloaded from CDN)
- [IP Address] FTP/hosting โ 51.68.11[.]192 (extracted from passive-mode FTP interaction on OVH)
Redrafted technical procedure:
Infection begins with a FAKEUPDATES campaign: users clicking LinkedIn profile links are redirected to a malicious site (www[.]igrejaatos2[.]org) that serves setupbrowser.exe. The initial executable is a .NET, intentionally obfuscated binary that masquerades as a legitimate browser updater (Chrome/Edge/Firefox/Opera), sometimes using a decoy signed updater alongside an invalid certificate. Execution proceeds through a three-stage chain where Stage 1 runs the masquerading updater and launches Stage 2 components.
Stage 2 drops multiple files to %USERPROFILE%AppDataLocalTemp (tmp[4hex].exe pattern), including a benign-looking signed updater and the actual malicious payload (example hash cb533957โฆ). Persistence is achieved by creating a startup entry (Start MenuProgramsStartup) and forcing a reboot. Network behavior includes DNS lookups to 2no[.]co, attempted downloads from a Discord CDN (SystemPropertiesProtection.exe), and FTP activity on OVH (user โalulogrofpโ accessing /assets/bootstrap/css), indicating infrastructure reuse and possible exfil/upload channels. The malware also manipulates desktop.ini and builds contextual data (including AV detection) to craft a User-Agent string for C2 communications.
Stage 3 executes the final payload which combines stealer and ransomware functions: it exfiltrates browser data, runs encryption using RijndaelManaged (appending .FACKOFF! to files), drops a batch file to stop processes/cleanup, and places a ransom note read_it.txt in encrypted folders. It disables recovery by deleting volume shadow copies and backup catalogs with commands such as โvssadmin delete shadows /all /quiet & wmic shadowcopy deleteโ and โwbadmin delete catalog -quietโ, completing a destructive cleanup that prevents easy restoration.