RedLine Stealer campaign analyzed by Netskope Threat Labs shows attackers using YouTube videos to lure victims into downloading a fake Binance NFT Mystery Box bot hosted on GitHub, which leads to a multi-stage RedLine payload. The write-up details loader stages, sandbox evasion, decryption, process injection, and extensive indicators and related files. #RedLineStealer #BinanceNFT
Keypoints
- RedLine Stealer is a credential-stealing malware offering browser data, Discord/Telegram data, VPN/FTP credentials, and more.
- The campaign spreads via YouTube videos that entice users to download a fake Binance NFT Mystery Box bot hosted on GitHub.
- Five YouTube videos and a GitHub-hosted ZIP deliver the loader, BinanceNFT.bot v.1.3.zip, which contains BinanceNFT.bot v.1.3.exe and VC_redist.x86.exe.
- Stage 01 loader uses sandbox-evasion tricks (Sleep-based timing) and decrypts the next stage with a rolling XOR key “OdoAAtK.”
- Stage 02 payload is a .NET RedLine Stealer that checks for blocklisted countries and exits if found; it also stores configuration with base64+XOR and reveals a C2 address using a key “Wombles.”
- Multiple loaders (five) and several payloads (four distinct payloads) circulate in NFTBOT/NFTSupp GitHub repo; some loaders are digitally signed (NordVPN S.A. and EasyAntiCheat Oy) and one injects into AppLaunch.exe.
- IOCs, Yara rules, and additional indicators are available in the linked GitHub repository.
MITRE Techniques
- [T1566.001] Phishing – The campaign lures victims via YouTube videos that lead to a GitHub-hosted fake bot. ‘The malware is spread through YouTube videos that lure victims into downloading a fake bot to automatically buy Binance NFT Mystery Boxes.’
- [T1105] Ingress Tool Transfer – The loader flow starts by acquiring payloads from GitHub. ‘All the videos we found are pointing to the same GitHub URL, downloading a file named “BinanceNFT.bot v.1.3.zip”.’
- [T1027] Obfuscated/Compressed Information – The next stage is decrypted with a rolling XOR key. ‘decrypts the next stage using a simple rolling XOR algorithm with “OdoAAtK” as the key.’
- [T1055] Process Injection – The final payload is injected into a running process. ‘the payload is injected to “RegSvcs.exe” using a simple process injection technique, similar to RunPE.’
- [T1055.012] Process Injection: Shellcode – The loader executes a shellcode after decryption. ‘Then, it executes a shellcode, which is decrypted using the same algorithm.’
- [T1497] Sandbox Evasion – Sleep-based timing to detect sandboxes. ‘The loader tries to delay the execution by 15 seconds and compares the timestamp (GetTickCount) before and after the Sleep API execution. If the elapsed time is less than 15 seconds, it exits the process.’
- [T1071] Command and Control – The malware uses a decrypted C2 address as part of its configuration. ‘The decryption key used by this sample is “Wombles”, and we can use a simple Python script to retrieve the C2 address value.’
Indicators of Compromise
- [File name] BinanceNFT.bot v.1.3.zip – loader package downloaded from GitHub; BinanceNFT.bot v.1.3.exe included in ZIP
- [File name] VC_redist.x86.exe – Microsoft Visual C++ Redistributable installer bundled in loader
- [File name] LauncherPatcher.exe – referenced in binary details as original filename
- [File name] AppLaunch.exe, RegSvcs.exe – processes targeted for injection
- [Archive] 45.rar, Upload.Openbot.rar – password-protected compressed files in NFTBOT repo
- [Digital Signature] NordVPN S.A., EasyAntiCheat Oy – loaders signed to evade some AV engines
- [URL] NFTSupp/NFTBOT GitHub repository hosting payloads and loaders
- [Blocklisted Countries] Armenia, Azerbaijan, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Ukraine, Uzbekistan
- [Country Check] EnglishName from .NET RegionInfo used to block country access
- [Configuration] Base64+XOR encrypted config with key “Wombles” to reveal C2 and ID
- [Credential/Data] Discord tokens targeted/stolen by RedLine Stealer