Threat Research

Redline Stealer and Mozilla Thunderbird

Securonix

eSentire’s Threat Response Unit details a Redline Stealer campaign against a manufacturing customer, delivered via a malicious Mozilla Thunderbird setup hosted on a lookalike thunderbiird[.]com and distributed in an ISO. The attacker uses an obfuscated AutoIT payload that injects into jsc.exe, disables Defender, and persists via a Vedesti scheduled task while RC4-encrypting the Redline payload. #RedlineStealer #MozillaThunderbird #AutoIT #JSCExe #Vedesti #thunderbiird

Keypoints

  • Redline Stealer identified in a manufacturing customer’s environment as a Malware-as-a-Service threat.
  • The victim was lured to a malicious Mozilla Thunderbird setup file distributed via an advertisement on a lookalike thunderbiird[.]com domain.
  • An ISO disc image delivered thunderbirdsetup.exe, while the setup launches the legitimate Thunderbird installer to deceive users.
  • The malware disables Defender, drops a renamed AutoIT to disk (.exe.pif), and executes a highly obfuscated AutoIT script containing an embedded payload.
  • The Redline payload is RC4 encrypted with a long key and injected into the legitimate Windows file jsc.exe (JScript Compiler).
  • A scheduled task named “Vedesti” is created to repeat the process and maintain persistence on the device.
  • Redline is described as Malware-as-a-Service with a configuration panel; campaign references include connecting to 176.124.216[.]38 and a campaign ID such as “Google New 1.”

MITRE Techniques

  • [T1189] Drive-by Compromise – The victim was lured to a malicious Mozilla Thunderbird setup file while performing a web search. The malicious setup file was distributed through an advertisement and hosted on a lookalike page on thunderbiird[.]com.
  • [T1036] Masquerading – The setup launches the installer for the legitimate Mozilla Thunderbird installer, making the user believe they downloaded a legitimate program. “the setup file launches the installer for the legitimate Mozilla Thunderbird installer”
  • [T1562.001] Impair Defenses – The activity includes “disables Defender.”
  • [T1059.005] Scripting – AutoIT execution is used; the payload is delivered through an obfuscated AutoIT script. “executes a highly obfuscated AutoIT script containing an embedded payload.”
  • [T1055] Process Injection – The Redline payload is injected into the legitimate Windows file jsc.exe (JScript Compiler). “injected into the legitimate Windows file jsc.exe (JScript Compiler).”
  • [T1053] Scheduled Task – Persistence via a scheduled task named “Vedesti.”
  • [T1027] Obfuscated/Compressed Files and Information – The script is heavily obfuscated and the payload is encrypted; “This payload is never directly written to disk.”

Indicators of Compromise

  • [Domain] thunderbiird[.]com – lookalike site hosting the malicious Thunderbird setup
  • [IP] 176.124.216[.]38 – campaign server referenced in Redline configuration
  • [Hash] 96EC3C5ADF2B6FFCC148C79E98A8EEC0 – MD5-like hash shown in the ISO delivery context
  • [File] thunderbirdsetup.exe – malicious setup file name used in the campaign
  • [File] jsc.exe – target of payload injection (JScript Compiler)

Read more: https://www.esentire.com/blog/redline-stealer-and-mozilla-thunderbird

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint