cyberint.com
Open in
urlscan Pro
141.193.213.10
Public Scan
Submitted URL: https://salesloft.cyberint.com/t/104577/c/94c33c5e-15b2-4179-ad5a-c66b99f19463/NB2HI4DTHIXS6Y3ZMJSXE2LOOQXGG33NF5RGY33HF5ZGK43F...
Effective URL: https://cyberint.com/blog/research/redline-stealer/?sbrc=13ONARo7IY7dEZoQYo0H67A%3D%3D%24W4yDAhXaxNREPnxloxPuAw%3D%3D
Submission: On April 29 via api from US — Scanned from DE
Effective URL: https://cyberint.com/blog/research/redline-stealer/?sbrc=13ONARo7IY7dEZoQYo0H67A%3D%3D%24W4yDAhXaxNREPnxloxPuAw%3D%3D
Submission: On April 29 via api from US — Scanned from DE
Form analysis 1 forms found in the DOM
POST https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/2034462/230c9049-7f32-4103-afb0-7c165de6f8f1
<form novalidate="" accept-charset="UTF-8" action="https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/2034462/230c9049-7f32-4103-afb0-7c165de6f8f1" enctype="multipart/form-data" id="hsForm_230c9049-7f32-4103-afb0-7c165de6f8f1"
method="POST" class="hs-form stacked hs-form-private hsForm_230c9049-7f32-4103-afb0-7c165de6f8f1 hs-form-230c9049-7f32-4103-afb0-7c165de6f8f1 hs-form-230c9049-7f32-4103-afb0-7c165de6f8f1_ee2b6a87-fb76-4d4a-9cfc-5130f6b5bfb4"
data-form-id="230c9049-7f32-4103-afb0-7c165de6f8f1" data-portal-id="2034462" target="target_iframe_230c9049-7f32-4103-afb0-7c165de6f8f1" data-reactid=".hbspt-forms-0">
<div class="hs_email hs-email hs-fieldtype-text field hs-form-field" data-reactid=".hbspt-forms-0.1:$0"><label id="label-email-230c9049-7f32-4103-afb0-7c165de6f8f1" class="" placeholder="Enter your " for="email-230c9049-7f32-4103-afb0-7c165de6f8f1"
data-reactid=".hbspt-forms-0.1:$0.0"><span data-reactid=".hbspt-forms-0.1:$0.0.0"></span></label>
<legend class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-0.1:$0.1"></legend>
<div class="input" data-reactid=".hbspt-forms-0.1:$0.$email"><input id="email-230c9049-7f32-4103-afb0-7c165de6f8f1" class="hs-input" type="email" name="email" required="" placeholder="Your email here*" value="" autocomplete="email"
data-reactid=".hbspt-forms-0.1:$0.$email.0" inputmode="email"></div>
</div>
<div class="legal-consent-container" data-reactid=".hbspt-forms-0.2">
<div class="hs-richtext" data-reactid=".hbspt-forms-0.2.0">
<p>I agree to Cyberint's <a href="https://cyberint.com/terms-conditions/" target="_blank" rel="noopener">Terms of Use</a> and <a href="https://cyberint.com/privacy-policy/" target="_blank" rel="noopener">Privacy Policy</a></p>
</div>
<div data-reactid=".hbspt-forms-0.2.1:0">
<div class="hs-dependent-field" data-reactid=".hbspt-forms-0.2.1:0.$LEGAL_CONSENT=1subscription_type_944128">
<div class="hs_LEGAL_CONSENT.subscription_type_944128 hs-LEGAL_CONSENT.subscription_type_944128 hs-fieldtype-booleancheckbox field hs-form-field"
data-reactid=".hbspt-forms-0.2.1:0.$LEGAL_CONSENT=1subscription_type_944128.$LEGAL_CONSENT=1subscription_type_944128">
<legend class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-0.2.1:0.$LEGAL_CONSENT=1subscription_type_944128.$LEGAL_CONSENT=1subscription_type_944128.1"></legend>
<div class="input" data-reactid=".hbspt-forms-0.2.1:0.$LEGAL_CONSENT=1subscription_type_944128.$LEGAL_CONSENT=1subscription_type_944128.$LEGAL_CONSENT=1subscription_type_944128">
<ul class="inputs-list" required="" data-reactid=".hbspt-forms-0.2.1:0.$LEGAL_CONSENT=1subscription_type_944128.$LEGAL_CONSENT=1subscription_type_944128.$LEGAL_CONSENT=1subscription_type_944128.0">
<li class="hs-form-booleancheckbox" data-reactid=".hbspt-forms-0.2.1:0.$LEGAL_CONSENT=1subscription_type_944128.$LEGAL_CONSENT=1subscription_type_944128.$LEGAL_CONSENT=1subscription_type_944128.0.0"><label
for="LEGAL_CONSENT.subscription_type_944128-230c9049-7f32-4103-afb0-7c165de6f8f1" class="hs-form-booleancheckbox-display"
data-reactid=".hbspt-forms-0.2.1:0.$LEGAL_CONSENT=1subscription_type_944128.$LEGAL_CONSENT=1subscription_type_944128.$LEGAL_CONSENT=1subscription_type_944128.0.0.0"><input
id="LEGAL_CONSENT.subscription_type_944128-230c9049-7f32-4103-afb0-7c165de6f8f1" class="hs-input" type="checkbox" name="LEGAL_CONSENT.subscription_type_944128" value="true"
data-reactid=".hbspt-forms-0.2.1:0.$LEGAL_CONSENT=1subscription_type_944128.$LEGAL_CONSENT=1subscription_type_944128.$LEGAL_CONSENT=1subscription_type_944128.0.0.0.0"><span
data-reactid=".hbspt-forms-0.2.1:0.$LEGAL_CONSENT=1subscription_type_944128.$LEGAL_CONSENT=1subscription_type_944128.$LEGAL_CONSENT=1subscription_type_944128.0.0.0.1">
<p>I agree to subscribe to receive updates from Cyberint</p><span class="hs-form-required">*</span>
</span></label></li>
</ul>
</div>
</div>
</div>
<legend class="hs-field-desc checkbox-desc" style="display:none;" data-reactid=".hbspt-forms-0.2.1:0.1"></legend>
</div>
</div>
<div class="hs_recaptcha hs-recaptcha field hs-form-field" data-reactid=".hbspt-forms-0.3">
<div class="input" data-reactid=".hbspt-forms-0.3.0">
<div class="grecaptcha-badge" data-style="inline" style="width: 256px; height: 60px; box-shadow: gray 0px 0px 5px;">
<div class="grecaptcha-logo"><iframe title="reCAPTCHA"
src="https://www.google.com/recaptcha/enterprise/anchor?ar=1&k=6Ld_ad8ZAAAAAAqr0ePo1dUfAi0m4KPkCMQYwPPm&co=aHR0cHM6Ly9jeWJlcmludC5jb206NDQz&hl=de&v=2W_gRz39xX8G13fM-OdyQPlc&size=invisible&badge=inline&cb=hlpq1go0qkts"
width="256" height="60" role="presentation" name="a-1c31hqivhnpq" frameborder="0" scrolling="no" sandbox="allow-forms allow-popups allow-same-origin allow-scripts allow-top-navigation allow-modals allow-popups-to-escape-sandbox"></iframe>
</div>
<div class="grecaptcha-error"></div><textarea id="g-recaptcha-response" name="g-recaptcha-response" class="g-recaptcha-response"
style="width: 250px; height: 40px; border: 1px solid rgb(193, 193, 193); margin: 10px 25px; padding: 0px; resize: none; display: none;"></textarea>
</div><iframe style="display: none;"></iframe>
</div><input type="hidden" name="g-recaptcha-response" id="hs-recaptcha-response" value="" data-reactid=".hbspt-forms-0.3.1">
</div>
<div class="hs_submit hs-submit" data-reactid=".hbspt-forms-0.5">
<div class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-0.5.0"></div>
<div class="actions" data-reactid=".hbspt-forms-0.5.1"><input type="submit" value="subscribe " class="hs-button primary large" data-reactid=".hbspt-forms-0.5.1.0"></div>
</div><noscript data-reactid=".hbspt-forms-0.6"></noscript><input name="hs_context" type="hidden"
value="{"rumScriptExecuteTime":1145.0999999046326,"rumServiceResponseTime":1526.3999999761581,"rumFormRenderTime":1.7999999523162842,"rumTotalRenderTime":1529.2999999523163,"rumTotalRequestTime":354.39999997615814,"legalConsentOptions":"{\"legitimateInterestSubscriptionTypes\":[944128],\"communicationConsentCheckboxes\":[{\"communicationTypeId\":944128,\"label\":\"<p>I agree to subscribe to receive updates&nbsp; from Cyberint</p>\",\"required\":true}],\"legitimateInterestLegalBasis\":\"LEGITIMATE_INTEREST_PQL\",\"communicationConsentText\":\"<p>I agree to Cyberint's <a href=\\\"https://cyberint.com/terms-conditions/\\\" target=\\\"_blank\\\" rel=\\\"noopener\\\">Terms of Use</a> and <a href=\\\"https://cyberint.com/privacy-policy/\\\" target=\\\"_blank\\\" rel=\\\"noopener\\\">Privacy Policy</a></p>\",\"processingConsentType\":\"IMPLICIT\",\"processingConsentCheckboxLabel\":\"<p>I agree</p>\",\"isLegitimateInterest\":false}","renderRawHtml":"true","embedAtTimestamp":"1651241807820","formDefinitionUpdatedAt":"1650956991630","pageUrl":"https://cyberint.com/blog/research/redline-stealer/?sbrc=13ONARo7IY7dEZoQYo0H67A%3D%3D%24W4yDAhXaxNREPnxloxPuAw%3D%3D","pageTitle":"Redline Stealer - Cyberint","source":"FormsNext-static-5.483","sourceName":"FormsNext","sourceVersion":"5.483","sourceVersionMajor":"5","sourceVersionMinor":"483","timestamp":1651241807820,"userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36","originalEmbedContext":{"region":"na1","portalId":"2034462","formId":"230c9049-7f32-4103-afb0-7c165de6f8f1","target":"#hbspt-form-1651241807525-446907762"},"boolCheckBoxFields":"LEGAL_CONSENT.subscription_type_944128","urlParams":{"sbrc":"13ONARo7IY7dEZoQYo0H67A==$W4yDAhXaxNREPnxloxPuAw=="},"renderedFieldsIds":["email","LEGAL_CONSENT.subscription_type_944128"],"formTarget":"#hbspt-form-1651241807525-446907762","correlationId":"65c3e9c9-7298-4559-8f1f-41fe718716ca","contentType":"blog-post","hutk":"532394b210a245c03994d3a852660d91","captchaStatus":"LOADED"}"
data-reactid=".hbspt-forms-0.7"><iframe name="target_iframe_230c9049-7f32-4103-afb0-7c165de6f8f1" style="display:none;" data-reactid=".hbspt-forms-0.8"></iframe>
</form>Text Content
We use cookies to enhance your experience while on our website, serve
personalized content, provide social media features and to optimize our traffic.
By continuing to browse the site you are agreeing to our use of cookies. Privacy
Policy
Yeah, sure I accept! No thanks
* Skip to Main Menu
* Skip to Main Content
* Skip to Footer
* Platform
* Attack Surface Management
* Threat Intelligence
* Deep & Dark Web
* Phishing Detection
* Forensic Canvas
* Social Media Monitoring
* Dashboard & Reports
* Services
* Virtual HumINT Operations
* Deep Cyber Investigations
* Threat Landscape Analysis
* Attack Simulation
* Takedowns & Remediation
* 3rd Party Cyber Risk
* Solutions
* USE CASES
* Phishing
* Attackware
* Brand
* Data & Ransomware
* Fraud
* Digital Footrprint
* BY ROLE
* Information Security
* C-Suite
* Marketing
* Industries
* Financial Services
* Retail & eCommerce
* Media & Gaming
* Healthcare
* Digital Enterprises
* Company
* About Us
* Contact Us
* Careers
* Events
* News
* Press Releases
* Resources
* Partners
* Blog
SupportGet a Demo
Get a Demo
* Platform
* Attack Surface Management
* Threat Intelligence
* Deep & Dark Web
* Phishing Detection
* Forensic Canvas
* Social Media Monitoring
* Dashboard & Reports
* Services
* Virtual HumINT Operations
* Deep Cyber Investigations
* Threat Landscape Analysis
* Attack Simulation
* Takedowns & Remediation
* 3rd Party Cyber Risk
* Solutions
* USE CASES
* Phishing
* Attackware
* Brand
* Data & Ransomware
* Fraud
* Digital Footrprint
* BY ROLE
* Information Security
* C-Suite
* Marketing
* Industries
* Financial Services
* Retail & eCommerce
* Media & Gaming
* Healthcare
* Digital Enterprises
* Company
* About Us
* Contact Us
* Careers
* Events
* News
* Press Releases
* Resources
* Partners
* Blog
Support
BlogResearch Redline Stealer
Research
REDLINE STEALER
Aug 18, 2021
Share on Facebook Share on Twitter Share on LinkedIn Share on WhatsApp Share by
Email
INTRODUCTION
First observed in 2020 and advertised on various cybercriminal forums as a
‘Malware-as-a-Service’ (MaaS) threat, Redline is an information stealer mainly
targeting Windows’ victim credentials and cryptocurrency wallets, as well as
Browser information, FTP connections, game chat launchers, and OS information
such as system hardware, processes names, time zone, IP, geolocation
information, OS version, and default language.
Over the past year, Redline was added with additional features and is capable to
load other malware software and run commands while periodically sending updates
to its C2 of new information related to the infected host.
Lacking an out-of-the-box distribution method, recently observed Redline
incidents appear to begin with the delivery of malicious document attachments
sent via an indiscriminate unsolicited email (malspam) campaign, Twitter, and
Instagram Direct Messaging. Mostly targeting service or content providers
individuals such as 3D artists and streamers, financial advisers, and more based
mostly in North America and Europe.
As for this moment, Redline can be purchased through Redline telegram official
channel (Figure 1), when offering a monthly, weekly, and lifetime subscription
for the prices of 100$, 150$, and 800$ respectively, paid in Bitcoin, Ethereum,
XMR, LTC, and USDT.
Figure 1: Redline Telegram official channel.
Using third-party tools to deploy the threat, such as cryptors or packers to
thwart signature-based detection is no concern for the threat actors as the
subscription comes with free cryptor as a package (Figure 2).
Figure 2: Redline purchases options.
Those tools are praised for the high level of service, and their management
dashboard, much like the malware element, is reportedly straightforward to use.
Notably, based on the analysis of recent samples and a changelog posted on the
threat actor’s Telegram channel, the most recent release of Redline is version
20.2 (Figure 3) and introduced support for additional stolen data management
options, notification management, logging, and bugs fixed which indicates the
dedication and ongoing development of the product.
Figure 3: Redline 20.2 release notes
REDLINE CONTROL PANEL
Redline subscribers have access to a local control panel from which they can
generate and/or manage campaign configurations, build Redline malware payloads,
and view data stolen from victims.
Displayed in English by default, visitors to the control panel are prompted to
login using the username and password (Figure 4) they presumably received when
subscribing.
Figure 4: Redline Login window.
Credential verification is done via SOAP over HTTP POST request to a centralized
authentication server stored in licensechecklive[.]xyz:8778. The request is
uploaded to /IMainServer path with the attached SOAP envelope, containing the
encoded login information and subscription ID (Figure 5).
Figure 5: Redline Dashboard login attempt.
Although access to this control panel requires an active Redline subscription
and credentials, cracked versions of Redline dashboard has been leaked on
several underground forums and git repositories over the last 6 months,
providing the ability to use the dashboard to create and monitor Redline builds
without the initial investment, causing this threat to become even more popular
(Figure 6).
Figure 6: Redline leaked version post.
Notably, the control panel uses XML and text file resources that can be accessed
without authentication and allow some of the current functionality to be
determined. Furthermore, Redline 20.2 package includes text related to the user
FAQ sections, both in English and Russian (Figure 7).
Figure 7: Redline Panel Files List
As mentioned, Redline panel makes use of three resource files for build
operation:
* chromeBrowsers.txt
* geckoBrowsers.txt
* Panel.exe.config
While the text files contain all paths possible for the targeted browsers
information (Figure 8), the main configuration for the stealer itself is
explicit in the config file, such as Grabber functionality regex (Figure 9),
domains relevant for session hijacking (Figure 10), Telegram Bot configuration
for notifications (Figure 11) and applications checklist to steal credentials
from (Figure 12). Notably, the panel can modify the configuration files to fit
the threat actor interest and will be used by the stealer.
Figure 8: Targeted browsers data paths
Figure 9: Regex setting for grabbing txt, doc, key, wallet and seed files.
Figure 10: Domains targeted for session hijacking.
Figure 11: Telegram Bot configuration
Figure 12: Applications, screenshot and FTP credentials grabbing configuration.
Simplicity is the main virtue of Redline. Its control panel contains an
intuitive menu (Figure 13) which its main fields are Logs received from the
stealers, the Builder compiling the stealer’s samples, and Loader Tasks, which
enables setting new tasks to the stealers such as running a cmd command,
downloading and executing a file and open a link.
Figure 13: Redline Panel Menu
REDLINE STEALER
COMMAND & CONTROL
Although packing and distribution may vary between Redline stealers, the result
remains the same. Based on the intelligence gathered from the Redline Stealer
control panel and stealers samples found in the wild, on execution, each stealer
attempts to communicate with predefined and hardcoded one or more servers via
SOAP over HTTP POST request for further instructions (Figure 14) by posting to
/Endpoint/EnvironmentSettings.
Figure 14: C2 first connectivity.
In response, the C2 server sends a SOAP envelope XML configuration containing
information for the stealer to search (Figure 15), for example:
* ScanChromeBrowsersPaths and ScanGeckoBrowsersPaths containing paths to
targeted browsers.
* ScanFilesPaths containing file types to look for in the users Desktop and
Documents.
Figure 15: Response instructions from the C2 to the stealer
DATA THEFT
The flexibility of Redline stealer enables the variety of potential content to
steal and is not bound to serve one purpose only. However, the default setting
includes the following as identified from recently analyzed samples:
* Browsers: Google Chrome, Mozilla Firefox, Opera and those that are
Chromium-based including Microsoft Edge.
* Cryptocurrency Wallets: Redline searches for the commonly used filename
wallet.dat
* Hardware information: Processor, Graphic hardware, screen size.
* OS information: Processes, Windows versions, Credentials.
* Geolocation: city, country, zip code and IP using
hxxps://api[.]ip[.]sb/geoip.
Having completed both the data theft and information gathering stages, Redline
generates an exfiltration XML Envelope SOAP message and uploads it to the C2,
without using an encryption method, via an HTTP POST request to the path
/Endpoint/SetEnvironment (Figure 16).
Figure 16: Redline Stealer uploads stolen data to C2
Having completed both the data theft and information gathering stages, Redline
generates an exfiltration XML Envelope SOAP message and uploads it to the C2,
without using an encryption method, via an HTTP POST request to the path
/Endpoint/SetEnvironment (Figure 16).
RECOMMENDATIONS
* Employee security awareness training remains an essential step in helping
them identify and be suspicious of unsolicited emails and phishing campaigns,
unusual communications via social media, especially messages with embedded
links or file attachments that could lead to the deployment of additional
malicious payloads.
* Multi-factor authentication should be implemented wherever possible to limit
the effectiveness of any stolen credentials.
* Employees should be reminded of the risks associated with credential reuse
and weak passwords supported by password policies to encourage best practice.
* Ensure that email security controls are applied to limit the delivery of
potentially malicious attachments or links to end-users, as well as
implementing protocols and security controls such as DKIM, DMARC and SPF.
* Continuous monitoring of unusual endpoint behaviors, such as requests to low
reputation domains, can indicate compromise early.
* Those who are using cryptocurrencies should consider the use of
hardware-based wallets and ensure that payment addresses are verified before
submitting a transaction.
INDICATORS OF COMPROMISE
SHA256 FILES HASHES
The following samples were observed in August 2021 and may be beneficial for
those seeking to further understand the nature of this threat:
* 95f79fdcfb83a5035a2e3fa8621a653a0022925a9d1cb8729b8956db202fc3d8
* 9072f90e16a2357f2d7e34713fe7458e65aae6e77eeb2c67177cf87d145eb1a6
* f224b56301de1b40dd9929e88dacc5f0519723570c822f8ed5971da3e2b88200
* ffee20e0c17936875243ac105258abcf77e70001a0e8adc80aedbc5cfa9a7660
* 88ff40bd93793556764e79cbf7606d4448e935ad5ba53eb9ee6849550d4cba7f
* 6be3a52cd5c077794a03f0596d1cbf3aee2635d268b03b476f6a2eaeb87d411c
DOMAINS
* licensechecklive[.]xyz -License check centralized server, Used for initial
authentication of a Redline control panel user.
URLS
* licensechecklive[.]xyz/IMainServer
IPS
* 185[.]215[.]113[.]114
* 37[.]0[.]8[.]88
* 193[].142[.]59[.]119
* 136[.]144[.]41[.]201
HTTP HEADERS
* SOAPAction: "hxxp://tempuri[.]org/IMainServer/Connect"
* SOAPAction: "hxxp://tempuri[.]org/Endpoint/EnvironmentSettings"
* SOAPAction: "hxxp://tempuri[.]org/Endpoint/SetEnvironment"
* SOAPAction: "hxxp://tempuri[.]org/Endpoint/GetUpdates
REFERENCES
[1] https://github.com/rootpencariilmu/Redlinestealer2020
[2] https://t.me/Redlinesupports_botRedline Stealer
Want to speak to our experts?
Contact us!
Share on Facebook Share on Twitter Share on LinkedIn Share on WhatsApp Share by
Email
RELATED ARTICLES
Research Jan 29, 2021
BABUK LOCKER
Based on observations throughout January, Babuk appears to be an actively
developed threat, likely set...
Research Jan 13, 2021
SOLARLEAKS
A nefarious website was observed on 12 January 2021 and, presumably linked to
the threat...
Research Jan 5, 2021
SOLARWINDS ORION API LFI
This blog provides an update based on recent observations involving SolarWinds
in late December 2020...
Beyond Digital Risk Protection
Contact usSupport
PLATFORM
* Attack Surface Management
* Threat Intelligence
* Deep & Dark Web
* Phishing Detection
* Forensic Canvas
* Dashboard & Reports
* Social Media Monitoring
INDUSTRIES
* Financial Services
* Retail & eCommerce
* Media & Gaming
* Healthcare
* Digital Enterprises
SERVICES
* Virtual HumINT Operations
* Deep Cyber Investigations
* Threat Landscape Analysis
* Attack Simulation
* Takedowns & Remediation
* 3rd Party Cyber Risk
PARTNER
* Partner Network
* Partner Portal
SOLUTIONS
USE CASES
* Phishing
* Attackware
* Brand Protection
* Data & Ransomware
* Fraud
* Digital Footprint
BY ROLE
* Information Security
* C-Suite
* Marketing
COMPANY
* About Us
* Contact Us
* Careers
* Events
* News
* Press Releases
RESOURCES
* Blog
* Case Studies
* Research
* Videos
* Brochures
* Why DRP
HEAR MORE FROM CYBERINT
Subscribe to our newsletter
I agree to Cyberint's Terms of Use and Privacy Policy
* I agree to subscribe to receive updates from Cyberint
*
Cyberint Copyright © All Rights Reserved 2022
* Terms & Conditions
* Privacy Policy
* Site Map