RedLine Stealer is an information-stealing malware that harvests credentials and other sensitive data from browsers and apps, and it can deliver other malicious programs like ransomware, RATs, trojans, and miners. It leverages social engineering to spread via email campaigns and is analyzed using ANY.RUN for lifecycle and behavior insights. #RedLineStealer #AnyRun #Proofpoint #Raccoon #Pony
Keypoints
- RedLine Stealer is an infostealer that targets passwords, credit card details, usernames, autofill data, cookies, and even hardware configurations.
- Attacks often deliver additional malware (ransomware, RATs, trojans, miners) using RedLine as a delivery mechanism.
- It is a .NET-based program written in C# with relatively high code quality, indicating skilled developers behind its updates and features.
- Delivery relies on social engineering and email campaigns (phishing, BEC, fake updates) with various file formats (Office, PDF, RAR/ZIP, EXE, JavaScript).
- RedLine can download secondary payloads and perform actions like uploading/downloading files and executing commands before exiting.
- ANY.RUN is used to analyze RedLine, showing its lifecycle and enabling deeper inspection via customizable reports.
- Detection is aided by Suricata IDS triggers when the infostealer starts transmitting stolen data to its C2 panel.
MITRE Techniques
- [T1555.003] Credentials from Web Browsers β Takes information from browsers, systems instant messaging, and file transfer protocol clients. Quote: βThe main target is passwords, credit card information, username, location, autofill data, cookies, software set, and even hardware configuration like keyboard layout, UAC settings, etc.β
- [T1566.001] Phishing: Spearphishing Attachment β Uses social engineering for email campaigns including business email compromise, spam, fake updates, ads in Google result in malicious attachments or links. Quote: βsocial engineering for different email campaigns including business email compromise, spam, fake updates, ads in Google result in malicious attachments or links.β
- [T1105] Ingress Tool Transfer β Downloads and executes additional payloads; used to download other malicious programs after opening attachments. Quote: βIf you open the files in the attachment, RedLine will download other malicious programs.β
- [T1071.001] Web Protocols β Exfiltrates data to a Command & Control panel over web protocols. Quote: βsends it to the Command & Control panel.β
- [T1027] Obfuscated/Compressed Files and Information β Stolen information is sent in non-encrypted and base64 encoded formats. Quote: βStolen information is sent in both non-encrypted and base64 encoded formats.β
Indicators of Compromise
- [File] Attachments used for delivery β Office, PDF, RAR and ZIP, Executable files, JavaScript
- [Domain] Any.Run platform β used for malware analysis and visualization (ANY.RUN)
- [URL] Source page β https://any.run/malware-trends/redline
Read more: https://any.run/malware-trends/redline