EclecticIQ analysts describe RedLine Stealer variants in 2023 as redeveloped, low-barrier-to-entry campaigns that rely on loaders and botnets to deliver the malware. The latest iterations emphasize WMI-based information gathering, XOR/RC4 obfuscation, targeted browser and crypto-wallet data access, and rapidly changing command-and-control infrastructure across Europe.
Keypoints
- RedLine Stealer reappears in 2023 with loader-based campaigns and botnet automation, often alongside other malware.
- Campaigns include trojanized large-language-model software to trick users into installing RedLine Stealer.
- Variants rely heavily on Windows Management Instrumentation (WMI) for local information gathering and fingerprinting, with PowerShell modules absent in these versions.
- Code obfuscation now uses XOR and RC4; persistence is established via registry keys and services, while the malware deletes its own created files to conceal activity.
- The operation uses new, rapidly rotating infrastructure hosted in Austria and Finland with domain-hosted C2 on recently registered malicious domains.
- Targets include browsers (e.g., Firefox, Edge, Chrome) and cryptocurrency wallets (e.g., Coinomi), along with keystroke logging and system fingerprinting.
MITRE Techniques
- [T1047] Windows Management Instrumentation – WMI to drive local system queries and fingerprinting. “WMI to drive local system queries and fingerprinting.”
- [T1027] Obfuscated/Compressed Files and Information – Code obfuscation using XOR and RC4 algorithms for payloads. “Code obfuscation using XOR and RC4 encryption for payloads.”
- [T1112] Modify Registry – Use of registry keys via modification to establish persistence. “The use of registry keys via modification to establish persistence.”
- [T1543.003] Windows Service – Create or modify system services to support persistence. “Windows Service.”
- [T1547.001] Registry Run Keys / Startup Folder – Registry-based startup persistence. “Registry Run Keys / Startup Folder.”
- [T1134] Access Token Manipulation – Privilege escalation via token manipulation. “Access Token Manipulation.”
- [T1548.002] Bypass User Account Control – Bypass UAC to escalate privileges. “Bypass User Account Control.”
- [T1070.004] Indicator Removal on Host – Delete files to conceal activity. “The ability to delete files the malware creates to help conceal cyberattacks.”
- [T1082] System Information Discovery – Information gathering about system configuration. “System Information Discovery.”
- [T1057] Process Discovery – Identify running processes during reconnaissance. “Process Discovery.”
- [T1083] File and Directory Discovery – Locate files and directories for data theft. “File and Directory Discovery.”
- [T1518.001] Security Software Discovery – Detect installed security tools. “Security Software Discovery.”
- [T1071.001] Web Protocols – Use of web protocols for C2 communication. “Web Protocols.”
- [T1571] Non-Standard Port – C2 communications over non-standard ports. “Non-Standard Port.”
- [T1218.011] Rundll32 – Use of Rundll32 for execution or loading components. “Rundll32.”
- [T1106] Native API – Use of native APIs during execution. “Native API.”
- [T1129] Shared Modules – Use of shared modules in the malware family. “Shared Modules.”
Indicators of Compromise
- [Hash] Hashes – 27e778497f153a8939069c654af632f5bf322e6cc4da39555c818f6e67411782, bf5677548650d278fad6f14ad8b20e4ad4e6a87cf4fe83a47aa5b367f30a3690, and many more hashes
- [IP] IP Addresses – 13.107.21.200, 77.91.124.251, and 78.153.130.209
- [Domain] Domains – leatherupcorp.com, mediainsightsgroup.com (and 2 more domains hosted on the same IP)
Read more: https://blog.eclecticiq.com/redline-stealer-variants-demonstrate-a-low-barrier-to-entry-threat