RedLine Stealer is a credential-stealing malware distributed via phishing URLs, malicious Chrome extensions, and loader chains, with campaigns impacting healthcare and manufacturing sectors. Splunk’s Threat Research Team analyzes a RedLine Loader, its defense evasion, and data-exfiltration capabilities, and maps detections to MITRE techniques while offering blue-team playbooks. #RedLineStealer #Amadey
Keypoints
- RedLine Stealer is distributed through phishing URLs, social engineering, and malicious links, with campaigns affecting healthcare and manufacturing sectors (notably a May 10, 2023 Chrome extension campaign involving Smoke Loader and Amadey).
- The RedLine Loader is a self-extracting archive that deploys multiple components, including shellcode decryptors and a .NET defense-evasion module (it532878.exe).
- Defense evasion includes privilege escalation and disabling security controls (WinDefend, Tamper Protection) as well as disabling Windows Update services.
- RedLine uses a C2-based configuration flow: decrypting an initial config (Base64 + XOR), checking a C2 connection, and downloading or enabling settings via a ScanningArg data structure.
- The malware’s capabilities cover extensive data collection: system information, browser data, credentials from browsers, wallet extensions, VPN profiles, FileZilla credentials, and tokens; it can also take screenshots.
- MS/ATT&CK mapping is provided with detections and 25 MITRE techniques; there are granular detections and Splunk playbooks to automate response and enrichment.
- IOCs include sample hashes, Chrome extension IDs, and targeted wallet extension identifiers used by RedLine Stealer to exfiltrate data.
MITRE Techniques
- [T1566.001] Phishing – The operators use phishing URL links to gain initial access. “One common initial access technique that this Trojan Stealer uses is a phishing URL link.”
- [T1027] Deobfuscate/Decode Files or Information – The malware decrypts its initial configuration data using Base64 and XOR to connect to its C2. “decrypting its initial configuration data, which is often encoded or encrypted… a combination of Base64 and XOR functions.”
- [T1548] Abuse Elevation Control – Escalate its privilege as administrator or trustedinstaller. “Escalate its privilege as administrator or trustedinstaller”
- [T1562.001] Impair Defenses – Attempt to disable security controls including WinDefend, Tamper Protection, and Windows Update services. “Try to disable Windows Defender service ‘WinDefend’… Try to Disable AntiSpyware, Real Time Protection and notification of Windows Defender.”
- [T1113] Screen Capture – Capture a screenshot of the target host as part of data collection. “capture a screenshot of the targeted or compromised host as part of its data collection and exfiltration.”
- [T1082] System Information Discovery – Gather comprehensive system data (host, OS, hardware, etc.). “Gather System Information” and related function descriptions.
- [T1555.003] Credentials from Web Browsers – Crack browser passwords and other credentials stored in browsers. “Cracking Browser Password… decrypt the password saved in the chrome browser.”
- [T1012] Query Registry – Enumerate installed software by querying the registry. “Parse all installed application in the compromised host by querying ‘SOFTWAREMicrosoftWindowsCurrentVersionUninstall’ registry”
- [T1057] Process Discovery – List running processes to understand the host environment. “ListProcesses() retrieves process list and process information”
Indicators of Compromise
- [Hash (SHA256)] RedLine samples – 5112ff1b75d9c33d10efafcbacdb4e2116280c1f5f3e6b6a64b44279997d96ee, 8f45a89978ea72a7c3304c93cc56ac18087663ae33daa9f30f919652ba961175, and 2 more hashes
- [Hash (SHA256)] Loader samples – eb8a15b1a42127970e7facc6133131dcc073a201419d8cc88c3c316819d1c2a2
- [Chrome Extension ID] Wallet-focused extensions – ibnejdfjmmkpcnlpebklmnkoeoihofec (Tronlink), jbdaocneiiinmjbjlgalhcelgbejmnid (NiftyWallet), and 2 more IDs
- [Domain] Top hosting domains used for malware delivery – github.com, dropbox.com, and 2 more domains
- [File name] Loader and infection chain files – lr657198.exe, zifq8846.exe, and 1 more file