A Detailed Analysis of the RedLine Stealer

Executive Summary: What is Redline Stealer?

RedLine is a stealer distributed as cracked games, applications, and services.

The malware steals information from web browsers, cryptocurrency wallets, and applications such as FileZilla, Discord, Steam, Telegram, and VPN clients. The binary also gathers data about the infected machine, such as the running processes, antivirus products, installed programs, the Windows product name, the processor architecture, etc. The stealer implements the following actions that extend its functionality: Download, RunPE, DownloadAndEx, OpenLink, and Cmd. The extracted information is converted to the XML format and exfiltrated to the C2 server via SOAP messages.

Redline Stealer Analysis and Findings

SHA256: E3544F1A9707EC1CE083AFE0AE64F2EDE38A7D53FC6F98AAB917CA049BC63E69

The initial executable is disguised as a Netflix checker and is a dropper for the main payload. The malware extracts a resource that will be decrypted and saved in the %AppData% directory:

figure-1-1
Figure 1
figure-2-1
Figure 2

The extracted resource is decrypted using the AES algorithm, with the key and IV being hard-coded in the executable:

figure-3-1
Figure 3

The decrypted payload is saved in a file called “winlogon.exe”. The RedLine stealer is spawned by the process:

figure-4-1
Figure 4

The malware is deobfuscated using the de4dot tool. The following modules reveal some hints about the stealer’s functionalities:

figure-5-1
Figure 5

The stealer communicates with the C2 server using SOAP messages. The following SOAP requests can be specified:

figure-6-1
Figure 6

The process stores data such as the antiviruses, a list of installed input languages, a list of installed programs, a list of running processes, and information about the processors and the graphics device in a class called ScanDetails, as highlighted below:

figure-7-1
Figure 7

The malware can locate and exfiltrate documents, CSV files, text files, and other types specified by the C2 server:

figure-8-1
Figure 8

The malicious process could enable/disable some functionalities based on the SOAP response. For example, by specifying a false value in the ScanWallets field, the binary doesn’t scan the system for crypto wallets:

figure-9-1
Figure 9

The stealer stores the following data in a structure called ScanResult:

  • An ID that corresponds to the infected machine
  • The Release ID that is hard-coded in the binary
  • The machine name which is in fact the username associated with the process
  • The OS version
  • The culture of the current input language
figure-10-1
Figure 10

When communicating with the C2 server, the stealer creates a BasicHttpBinding object that uses HTTP as the transport for sending SOAP messages. Windows Communication Foundation (WCF) uses XmlDictionary instances when serializing and deserializing SOAP messages. A new XmlDictionaryReaderQuotas object that contains several quotas used by the XmlDictionaryReader class is created:

figure-11-1
Figure 11

The malicious binary creates a channel factory that will be used during the network communications by initializing a new instance of the ChannelFactory class:

figure-12-1
Figure 12

The C2 server “siyatermi.duckdns[.]org:17044” and the Release ID are hard-coded in the malware. Other versions of the RedLine stealer stored them in an encrypted form:

figure-13-1
Figure 13

An example of network communications with the C2 server was downloaded from Any.Run sandbox and is displayed in figure 14. We can notice some IP addresses corresponding to VPNs or online sandboxes that the malware wants to avoid:

figure-14-1
Figure 14

The following image reveals the data exfiltration process performed by RedLine:

figure-15-1
Figure 15

The stealer creates a folder called “YandexYaAddon” in the “AppDataLocal” directory:

figure-16-1
Figure 16

The file uses the BcryptOpenAlgorithmProvider API in order to load and initialize the AES CNG provider. The algorithm’s chaining mode is set to Galois/counter mode (GCM):

figure-17-1
Figure 17

BCryptImportKey is utilized to import a symmetric key from a data BLOB:

figure-18-1
Figure 18

The process can decrypt a block of data by calling the BCryptDecrypt routine:

figure-19-1
Figure 19

The malware obtains information such as the public IP of the machine, the country, zip code, etc. by querying the following websites: https[:]//api.ip.sb/geoip, https[:]//api.ipify.org, or https[:]//ipinfo.io/ip. The WebClient.DownloadData method is used to download the resource:

figure-20-1
Figure 20

RedLine stealer searches the filesystem for the following directories: “Windows”, “Program Files”, “Program Files (x86)”, and “Program Data”:

figure-21-1
Figure 21

The malware calls the GetDirectories and GetFiles methods in order to extract the targeted files. It creates a list that contains the full path of the files:

figure-22-1
Figure 22

The executable creates a unique temporary file by calling the GetTempFileName function. It copies a file to a new location using CopyFile:

figure-23-1
Figure 23

The process implements a XOR function between two objects. The result of the function is a string:

figure-24-1
Figure 24

The JavaScriptSerializer.Deserialize method is utilized to convert the JSON string to an object of type T:

figure-25-1
Figure 25

The ShowWindow function is used to hide the current window (0x0 = SW_HIDE):

figure-26-1
Figure 26

4 Types of Redline Stealer Information Stealing

Browsers

The stealer targets Chromium-based browsers (for example, Chrome and Opera) and Gecko-based browsers (for example, Mozilla Firefox). The process is looking for the Opera GX browser in the following directories:

figure-27-1
Figure 27

The malware specifies new browser paths in the ScanChromeBrowsersPaths and ScanGeckoBrowsersPaths node values from the SOAP response.

The binary searches the file system for the following SQLite databases:

figure-28-1
Figure 28

The original_url, username_value, and password_value values are extracted from the logins table found in the “Login Data” database. These values are used in account.URL, account.Username and account.Password, respectively:

figure-29-1
Figure 29

The host_key, path, is_secure, expires_utc, name, and encrypted_value values are extracted from the Cookies file:

figure-30-1
Figure 30

The value and name entries from the autofill table found in the “Web Data” database are retrieved by the malware:

figure-31-1
Figure 31

The card_number_encrypted, name_on_card, expiration_month, and expiration_year values from the credit_cards table found in the “Web Data” database are retrieved by the process:

figure-32-1
Figure 32

After gathering all the data, the process creates a scannedBrowser object that contains the browser name and profile and the information extracted above:

figure-33-1
Figure 33

RedLine stealer obfuscates some strings by adding extra letters. It tries to locate the cookies.sqlite database in the “AppDataRoaming” directory:

figure-34-1
Figure 34

The host, path, isSecure, expiry, name, and value entries are extracted from the moz_cookies table found in the cookies.sqlite file:

figure-35-1
Figure 35

Cryptocurrency Wallets

The stealer targets the following wallets, which are browser extensions: YoroiWallet, Tronlink, NiftyWallet, Metamask, MathWallet, Coinbase, BinanceChain, BraveWallet, GuardaWallet, EqualWallet, JaxxxLiberty, BitAppWallet, iWallet, Wombat, AtomicWallet, MewCx, GuildWallet, SaturnWallet, and RoninWallet (see figure 36).

figure-36-1
Figure 36

The first target is Armory, which stores the wallet in the “%AppData%Armory” directory (“Recoursive” [sic]):

figure-37-1
Figure 37

Atomic Wallet stores its files in the “%AppData%atomic” folder:

figure-38-1
Figure 38

The malware also targets the Exodus wallet, as shown in figure 39:

figure-39-1
Figure 39

The binary searches for the “com.liberty.jaxx” directory that corresponds to the Jaxx Liberty wallet:

figure-40-1
Figure 40

Guarda Wallet stores its files in the “%AppData%Guarda” directory:

figure-41-1
Figure 41

The binary is looking for files corresponding to the Coinomi wallet as well:

figure-42-1
Figure 42

RedLine stealer uses the GetFolderPath function in order to find the “%AppData%Electrumwallets” folder:

figure-43-1
Figure 43

The malicious process tries to identify a folder that corresponds to an Ethereum wallet:

figure-44-1
Figure 44

There is also a generic search that is looking for a file called “wallet.dat” or “wallet” in the “%AppData%” directory:

figure-45-1
Figure 45

The GetLogicalDrives method is utilized to retrieve the names of the logical drives on the local computer. The stealer can specify additional files/extensions that should be located in the “%DSK_23%” field:

figure-46-1
Figure 46

Different applications

The stealer extracts the Discord tokens and chat logs from the “.log” and “.ldb” files:

figure-47-1
Figure 47

The malicious process opens the “FileZillarecentservers.xml” file:

figure-48-1
Figure 48

The binary creates an XmlTextReader object and then an XmlDocument object. It loads the XML file opened above and constructs a list of accounts:

figure-49
Figure 49

The malware extracts the following fields from the XML file: Host, User, Pass, and Port. These values are used to populate account.Username, account.Password, and account.URL:

figure-50
Figure 50

RedLine stealer extracts the Steam client path from the “SteamPath” registry value:

figure-51
Figure 51

The SSFN and VDF files are targeted for exfiltration by the stealer:

figure-52
Figure 52

The process is looking for the folder that contains the Telegram application. The session data including images and conversations is stored in the “tdata” directory:

figure-53
Figure 53

The executable also looks for the “Telegram Desktoptdata” directory on the machine:

figure-54
Figure 54

VPN software

RedLine stealer searches the filesystem for the “%USERPROFILE%AppDataLocalNordVPN” directory, which corresponds to the NordVPN software:

figure-55
Figure 55

The credentials stored in the “user.config” file are extracted by the malware, as highlighted in the figure below:

figure-56
Figure 56

The credentials are decoded from Base64 and then stored in Account.Username and Account.Password:

figure-57
Figure 57

The malicious executable steals the OpenVPN config file found at “%AppData%OpenVPN Connectprofiles”:

figure-58
Figure 58

The process tries to locate and exfiltrate the Proton VPN configuration files as well:

figure-59
Figure 59

Host information

The binary extracts the processor name and the number of cores by running the following WMI query:

figure-60
Figure 60

The name of the video controller and the memory size are retrieved via another WMI query:

figure-61
Figure 61

The malware obtains a list of antivirus/antispyware products and third-party firewalls:

figure-62
Figure 62

The OpenSubKey method is utilized to open the “SOFTWAREClientsStartMenuInternet” registry key. The name of a browser is obtained via a function call to GetValue and then the path from the “shellopencommand” registry key:

figure-63
Figure 63

The malicious process extracts the serial number of the physical disk drives:

figure-64
Figure 64

The list of running processes is retrieved by running the “SELECT * FROM Win32_Process” query. The malware creates a list that contains the session ID of the current process, the process ID and the name of a process extracted from the query, and the command line:

figure-65
Figure 65

Another similar function is used to obtain a list of running processes’ name and the path to the executable files:

figure-66
Figure 66

OpenSubKey is utilized to open the “SOFTWAREMicrosoftWindowsCurrentVersionUninstall” registry key, which contains the installed programs. The purpose is to extract the program name and version:

figure-67
Figure 67

RedLine stealer gets a list of all installed input languages:

figure-68
Figure 68

The total amount of physical memory available to the OS is retrieved by running the “SELECT * FROM Win32_OperatingSystem” WMI query:

figure-69
Figure 69

The binary extracts the Windows product name and the processor architecture:

figure-70
Figure 70

The process computes an MD5 hash by creating an MD5CryptoServiceProvider object and then calling the ComputeHash method:

figure-71
Figure 71

The stealer computes the MD5 hash of a concatenation of the network domain name, the username, and the serial number extracted before. It is used as the machine ID and will appear in the network traffic:

figure-72
Figure 72

The executable location is retrieved from the “Assembly.GetExecutingAssembly.Location” property:

figure-73
Figure 73

The malicious binary retrieves the input language for the current thread, the current time zone name, and the OS version. The extracted values are stored in a ScanResult structure:

figure-74
Figure 74
figure-75
Figure 75

The ScanResult.MachineName value is set to the username extracted from the Environment.UserName property:

figure-76
Figure 76

The malware creates a new Graphics object from the current user session’s desktop using the Graphics.FromHwnd method. It retrieves the vertical height in pixels and the vertical height of the entire desktop in pixels using GetDeviceCaps (10 = VERTRES, 117 = DESKTOPVERTRES):

figure-77
Figure 77

The executable creates a rectangle representing the bounds of the primary screen:

figure-78
Figure 78

The Graphics.CopyFromScreen method is utilized to make a capture of the screen:

figure-79
Figure 79

The resulting image is saved to a memory stream in the PNG format (see figure 80). The buffer containing the screenshot is encoded using Base64 and exfiltrated in the Monitor entry of the network traffic.

figure-80
Figure 80

Remote Task Actions

The following actions are implemented by the stealer:

figure-81
Figure 81

The C2 server can specify an entry such as “<URL>|<PathOfFile>” in the network traffic. An additional file can be downloaded from the URL by calling the WebClient.DownloadData method and then saved in the file path mentioned above:

figure-82
Figure 82
figure-83
Figure 83

There is a second similar action called “DownloadAndEx”. The difference is that the new file is executed by calling the Process.Start function:

figure-84
Figure 84
figure-85
Figure 85

RedLine stealer can specify a command that is executed by the CMD.exe process. In this case, no window is created:

figure-86
Figure 86

The malicious process can open a specific URL by calling the Process.Start method:

figure-87
Figure 87

Indicators of Compromise

SHA256

E3544F1A9707EC1CE083AFE0AE64F2EDE38A7D53FC6F98AAB917CA049BC63E69

Directory created

%LocalApplicationData%YandexYaAddon

Process spawned

%AppData%winlogon.exe

C2 server

siyatermi.duckdns[.]org:17044

Source: https://securityscorecard.com/research/detailed-analysis-redline-stealer