Redline Stealer has re-emerged with new TTPS-detection findings, detailing its infection chain, data-theft capabilities, and persistence mechanisms. The article outlines how the malware spreads, what data it targets, and the indicators that security teams can monitor. #RedlineStealer #CiscoTalos #NordVPN
Keypoints
- Redline Stealer is a credential-stealing malware that can bypass antivirus and remain undetected for extended periods.
- Discovered in 2018 by Cisco Talos and evolved into a more sophisticated threat targeting individuals and organizations globally.
- Distribution methods include phishing emails, malicious websites, or exploitation of software vulnerabilities.
- The malware drops into the Windows temp directory and creates a multi-stage payload, checking browser cookies and software uninstall entries during initial execution.
- Capabilites include keylogging, clipboard monitoring, browser history tracking, screenshots, and webcam capture, with data exfiltrated to a remote C2 server.
- Persistence is achieved through registry modifications, scheduled tasks (every minute), and permission changes via icacls.
- Final stage involves a launcher (AppLaunch.exe) that steals browser data and communicates back to CNC servers (e.g., 176.113.115.17:4132).
- Indicators of compromise include specific IPs and a SHA-256 hash associated with the malware payload.
MITRE Techniques
- [T1566.001] Phishing – The malware is typically distributed through phishing emails, malicious websites, or via software vulnerabilities. Quote: ‘The malware is typically distributed through phishing emails, malicious websites, or via software vulnerabilities.’
- [T1053.005] Scheduled Task – The malware uses Windows Task Scheduler to run malicious binaries on a schedule (every minute). Quote: ‘takes task scheduler to run the specific malicious file under temp folder for every 5 minutes “C:WindowsSystem32schtasks.exe /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR “C:UsersadminAppDataLocalTemp4b9a106e76mnolyk.exe” /F”’
- [T1112] Modify Registry – The malware modifies registry values as part of persistence. Quote: ‘Next stage it modifies the registry values. below registry key is modified.’
- [T1012] Query Registry – It searches registry keys to identify installed software. Quote: ‘search for installed softwares in registry keys “HKEY_LOCAL_MACHINE…UNINSTALL{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}”’
- [T1105] Ingress Tool Transfer – It downloads a malicious DLL (clip64.dll) and stores it in a roaming path. Quote: ‘downloaded in the folder “C:UsersadminAppDataRoamingc1ec479e5342a2clip64.dll”’
- [T1555.003] Credentials from Web Browsers – It collects browser data and VPN credentials such as NordVPN. Quote: ‘collect the credential from web browser “C:UsersadminAppDataRoamingFileZillarecentservers.xml” and also looking for VPN credentials “C:UsersadminAppDataLocalNordVPN”’
- [T1056.001] Keylogging – The malware performs keylogging as part of its data theft. Quote: ‘keylogging, clipboard monitoring, and browser history tracking’
- [T1113] Screen Capture – It can take screenshots. Quote: ‘take screenshots and capture webcam footage, providing attackers with a wealth of information about a victim’s online activities.’
- [T1125] Video Capture – It captures webcam footage. Quote: ‘take screenshots and capture webcam footage’
- [T1041] Exfiltration Over C2 Channel – It exfiltrates data to CNC servers. Quote: ‘connects with to the CNC server “193.233.20.13” with the destination port number “55871”’
- [T1222] File and Directory Permissions Modification – It modifies file permissions via icacls. Quote: ‘Windows inbuilt utility “icacls.exe” is used to modify the file permission’
Indicators of Compromise
- [IP] context – 193.233.20.13, 176.113.115.17, and 193.233.20.2
- [Hash] context – 3854f7f1fcb2dd48a235e69be3a7618bec6faf676c8af4fc3ad1d253dc653591
- [File Name] context – mnolyk.exe, clip64.dll
Read more: https://www.socinvestigation.com/redline-stealer-returns-with-new-ttps-detection-response/