cyberint.com
Open in
urlscan Pro
141.193.213.10
Public Scan
Submitted URL: https://salesloft.cyberint.com/t/104577/c/94c33c5e-15b2-4179-ad5a-c66b99f19463/NB2HI4DTHIXS6Y3ZMJSXE2LOOQXGG33NF5RGY33HF5ZGK43F...
Effective URL: https://cyberint.com/blog/research/redline-stealer/?sbrc=13ONARo7IY7dEZoQYo0H67A%3D%3D%24W4yDAhXaxNREPnxloxPuAw%3D%3D
Submission: On April 29 via api from US — Scanned from DE
Effective URL: https://cyberint.com/blog/research/redline-stealer/?sbrc=13ONARo7IY7dEZoQYo0H67A%3D%3D%24W4yDAhXaxNREPnxloxPuAw%3D%3D
Submission: On April 29 via api from US — Scanned from DE
Form analysis
1 forms found in the DOMPOST https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/2034462/230c9049-7f32-4103-afb0-7c165de6f8f1
<form novalidate="" accept-charset="UTF-8" action="https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/2034462/230c9049-7f32-4103-afb0-7c165de6f8f1" enctype="multipart/form-data" id="hsForm_230c9049-7f32-4103-afb0-7c165de6f8f1"
method="POST" class="hs-form stacked hs-form-private hsForm_230c9049-7f32-4103-afb0-7c165de6f8f1 hs-form-230c9049-7f32-4103-afb0-7c165de6f8f1 hs-form-230c9049-7f32-4103-afb0-7c165de6f8f1_ee2b6a87-fb76-4d4a-9cfc-5130f6b5bfb4"
data-form-id="230c9049-7f32-4103-afb0-7c165de6f8f1" data-portal-id="2034462" target="target_iframe_230c9049-7f32-4103-afb0-7c165de6f8f1" data-reactid=".hbspt-forms-0">
<div class="hs_email hs-email hs-fieldtype-text field hs-form-field" data-reactid=".hbspt-forms-0.1:$0"><label id="label-email-230c9049-7f32-4103-afb0-7c165de6f8f1" class="" placeholder="Enter your " for="email-230c9049-7f32-4103-afb0-7c165de6f8f1"
data-reactid=".hbspt-forms-0.1:$0.0"><span data-reactid=".hbspt-forms-0.1:$0.0.0"></span></label>
<legend class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-0.1:$0.1"></legend>
<div class="input" data-reactid=".hbspt-forms-0.1:$0.$email"><input id="email-230c9049-7f32-4103-afb0-7c165de6f8f1" class="hs-input" type="email" name="email" required="" placeholder="Your email here*" value="" autocomplete="email"
data-reactid=".hbspt-forms-0.1:$0.$email.0" inputmode="email"></div>
</div>
<div class="legal-consent-container" data-reactid=".hbspt-forms-0.2">
<div class="hs-richtext" data-reactid=".hbspt-forms-0.2.0">
<p>I agree to Cyberint's <a href="https://cyberint.com/terms-conditions/" target="_blank" rel="noopener">Terms of Use</a> and <a href="https://cyberint.com/privacy-policy/" target="_blank" rel="noopener">Privacy Policy</a></p>
</div>
<div data-reactid=".hbspt-forms-0.2.1:0">
<div class="hs-dependent-field" data-reactid=".hbspt-forms-0.2.1:0.$LEGAL_CONSENT=1subscription_type_944128">
<div class="hs_LEGAL_CONSENT.subscription_type_944128 hs-LEGAL_CONSENT.subscription_type_944128 hs-fieldtype-booleancheckbox field hs-form-field"
data-reactid=".hbspt-forms-0.2.1:0.$LEGAL_CONSENT=1subscription_type_944128.$LEGAL_CONSENT=1subscription_type_944128">
<legend class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-0.2.1:0.$LEGAL_CONSENT=1subscription_type_944128.$LEGAL_CONSENT=1subscription_type_944128.1"></legend>
<div class="input" data-reactid=".hbspt-forms-0.2.1:0.$LEGAL_CONSENT=1subscription_type_944128.$LEGAL_CONSENT=1subscription_type_944128.$LEGAL_CONSENT=1subscription_type_944128">
<ul class="inputs-list" required="" data-reactid=".hbspt-forms-0.2.1:0.$LEGAL_CONSENT=1subscription_type_944128.$LEGAL_CONSENT=1subscription_type_944128.$LEGAL_CONSENT=1subscription_type_944128.0">
<li class="hs-form-booleancheckbox" data-reactid=".hbspt-forms-0.2.1:0.$LEGAL_CONSENT=1subscription_type_944128.$LEGAL_CONSENT=1subscription_type_944128.$LEGAL_CONSENT=1subscription_type_944128.0.0"><label
for="LEGAL_CONSENT.subscription_type_944128-230c9049-7f32-4103-afb0-7c165de6f8f1" class="hs-form-booleancheckbox-display"
data-reactid=".hbspt-forms-0.2.1:0.$LEGAL_CONSENT=1subscription_type_944128.$LEGAL_CONSENT=1subscription_type_944128.$LEGAL_CONSENT=1subscription_type_944128.0.0.0"><input
id="LEGAL_CONSENT.subscription_type_944128-230c9049-7f32-4103-afb0-7c165de6f8f1" class="hs-input" type="checkbox" name="LEGAL_CONSENT.subscription_type_944128" value="true"
data-reactid=".hbspt-forms-0.2.1:0.$LEGAL_CONSENT=1subscription_type_944128.$LEGAL_CONSENT=1subscription_type_944128.$LEGAL_CONSENT=1subscription_type_944128.0.0.0.0"><span
data-reactid=".hbspt-forms-0.2.1:0.$LEGAL_CONSENT=1subscription_type_944128.$LEGAL_CONSENT=1subscription_type_944128.$LEGAL_CONSENT=1subscription_type_944128.0.0.0.1">
<p>I agree to subscribe to receive updates from Cyberint</p><span class="hs-form-required">*</span>
</span></label></li>
</ul>
</div>
</div>
</div>
<legend class="hs-field-desc checkbox-desc" style="display:none;" data-reactid=".hbspt-forms-0.2.1:0.1"></legend>
</div>
</div>
<div class="hs_recaptcha hs-recaptcha field hs-form-field" data-reactid=".hbspt-forms-0.3">
<div class="input" data-reactid=".hbspt-forms-0.3.0">
<div class="grecaptcha-badge" data-style="inline" style="width: 256px; height: 60px; box-shadow: gray 0px 0px 5px;">
<div class="grecaptcha-logo"><iframe title="reCAPTCHA"
src="https://www.google.com/recaptcha/enterprise/anchor?ar=1&k=6Ld_ad8ZAAAAAAqr0ePo1dUfAi0m4KPkCMQYwPPm&co=aHR0cHM6Ly9jeWJlcmludC5jb206NDQz&hl=de&v=2W_gRz39xX8G13fM-OdyQPlc&size=invisible&badge=inline&cb=hlpq1go0qkts"
width="256" height="60" role="presentation" name="a-1c31hqivhnpq" frameborder="0" scrolling="no" sandbox="allow-forms allow-popups allow-same-origin allow-scripts allow-top-navigation allow-modals allow-popups-to-escape-sandbox"></iframe>
</div>
<div class="grecaptcha-error"></div><textarea id="g-recaptcha-response" name="g-recaptcha-response" class="g-recaptcha-response"
style="width: 250px; height: 40px; border: 1px solid rgb(193, 193, 193); margin: 10px 25px; padding: 0px; resize: none; display: none;"></textarea>
</div><iframe style="display: none;"></iframe>
</div><input type="hidden" name="g-recaptcha-response" id="hs-recaptcha-response" value="" data-reactid=".hbspt-forms-0.3.1">
</div>
<div class="hs_submit hs-submit" data-reactid=".hbspt-forms-0.5">
<div class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-0.5.0"></div>
<div class="actions" data-reactid=".hbspt-forms-0.5.1"><input type="submit" value="subscribe " class="hs-button primary large" data-reactid=".hbspt-forms-0.5.1.0"></div>
</div><noscript data-reactid=".hbspt-forms-0.6"></noscript><input name="hs_context" type="hidden"
value="{"rumScriptExecuteTime":1145.0999999046326,"rumServiceResponseTime":1526.3999999761581,"rumFormRenderTime":1.7999999523162842,"rumTotalRenderTime":1529.2999999523163,"rumTotalRequestTime":354.39999997615814,"legalConsentOptions":"{\"legitimateInterestSubscriptionTypes\":[944128],\"communicationConsentCheckboxes\":[{\"communicationTypeId\":944128,\"label\":\"<p>I agree to subscribe to receive updates&nbsp; from Cyberint</p>\",\"required\":true}],\"legitimateInterestLegalBasis\":\"LEGITIMATE_INTEREST_PQL\",\"communicationConsentText\":\"<p>I agree to Cyberint's <a href=\\\"https://cyberint.com/terms-conditions/\\\" target=\\\"_blank\\\" rel=\\\"noopener\\\">Terms of Use</a> and <a href=\\\"https://cyberint.com/privacy-policy/\\\" target=\\\"_blank\\\" rel=\\\"noopener\\\">Privacy Policy</a></p>\",\"processingConsentType\":\"IMPLICIT\",\"processingConsentCheckboxLabel\":\"<p>I agree</p>\",\"isLegitimateInterest\":false}","renderRawHtml":"true","embedAtTimestamp":"1651241807820","formDefinitionUpdatedAt":"1650956991630","pageUrl":"https://cyberint.com/blog/research/redline-stealer/?sbrc=13ONARo7IY7dEZoQYo0H67A%3D%3D%24W4yDAhXaxNREPnxloxPuAw%3D%3D","pageTitle":"Redline Stealer - Cyberint","source":"FormsNext-static-5.483","sourceName":"FormsNext","sourceVersion":"5.483","sourceVersionMajor":"5","sourceVersionMinor":"483","timestamp":1651241807820,"userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36","originalEmbedContext":{"region":"na1","portalId":"2034462","formId":"230c9049-7f32-4103-afb0-7c165de6f8f1","target":"#hbspt-form-1651241807525-446907762"},"boolCheckBoxFields":"LEGAL_CONSENT.subscription_type_944128","urlParams":{"sbrc":"13ONARo7IY7dEZoQYo0H67A==$W4yDAhXaxNREPnxloxPuAw=="},"renderedFieldsIds":["email","LEGAL_CONSENT.subscription_type_944128"],"formTarget":"#hbspt-form-1651241807525-446907762","correlationId":"65c3e9c9-7298-4559-8f1f-41fe718716ca","contentType":"blog-post","hutk":"532394b210a245c03994d3a852660d91","captchaStatus":"LOADED"}"
data-reactid=".hbspt-forms-0.7"><iframe name="target_iframe_230c9049-7f32-4103-afb0-7c165de6f8f1" style="display:none;" data-reactid=".hbspt-forms-0.8"></iframe>
</form>
Text Content
We use cookies to enhance your experience while on our website, serve personalized content, provide social media features and to optimize our traffic. By continuing to browse the site you are agreeing to our use of cookies. Privacy Policy Yeah, sure I accept! No thanks * Skip to Main Menu * Skip to Main Content * Skip to Footer * Platform * Attack Surface Management * Threat Intelligence * Deep & Dark Web * Phishing Detection * Forensic Canvas * Social Media Monitoring * Dashboard & Reports * Services * Virtual HumINT Operations * Deep Cyber Investigations * Threat Landscape Analysis * Attack Simulation * Takedowns & Remediation * 3rd Party Cyber Risk * Solutions * USE CASES * Phishing * Attackware * Brand * Data & Ransomware * Fraud * Digital Footrprint * BY ROLE * Information Security * C-Suite * Marketing * Industries * Financial Services * Retail & eCommerce * Media & Gaming * Healthcare * Digital Enterprises * Company * About Us * Contact Us * Careers * Events * News * Press Releases * Resources * Partners * Blog SupportGet a Demo Get a Demo * Platform * Attack Surface Management * Threat Intelligence * Deep & Dark Web * Phishing Detection * Forensic Canvas * Social Media Monitoring * Dashboard & Reports * Services * Virtual HumINT Operations * Deep Cyber Investigations * Threat Landscape Analysis * Attack Simulation * Takedowns & Remediation * 3rd Party Cyber Risk * Solutions * USE CASES * Phishing * Attackware * Brand * Data & Ransomware * Fraud * Digital Footrprint * BY ROLE * Information Security * C-Suite * Marketing * Industries * Financial Services * Retail & eCommerce * Media & Gaming * Healthcare * Digital Enterprises * Company * About Us * Contact Us * Careers * Events * News * Press Releases * Resources * Partners * Blog Support BlogResearch Redline Stealer Research REDLINE STEALER Aug 18, 2021 Share on Facebook Share on Twitter Share on LinkedIn Share on WhatsApp Share by Email INTRODUCTION First observed in 2020 and advertised on various cybercriminal forums as a ‘Malware-as-a-Service’ (MaaS) threat, Redline is an information stealer mainly targeting Windows’ victim credentials and cryptocurrency wallets, as well as Browser information, FTP connections, game chat launchers, and OS information such as system hardware, processes names, time zone, IP, geolocation information, OS version, and default language. Over the past year, Redline was added with additional features and is capable to load other malware software and run commands while periodically sending updates to its C2 of new information related to the infected host. Lacking an out-of-the-box distribution method, recently observed Redline incidents appear to begin with the delivery of malicious document attachments sent via an indiscriminate unsolicited email (malspam) campaign, Twitter, and Instagram Direct Messaging. Mostly targeting service or content providers individuals such as 3D artists and streamers, financial advisers, and more based mostly in North America and Europe. As for this moment, Redline can be purchased through Redline telegram official channel (Figure 1), when offering a monthly, weekly, and lifetime subscription for the prices of 100$, 150$, and 800$ respectively, paid in Bitcoin, Ethereum, XMR, LTC, and USDT. Figure 1: Redline Telegram official channel. Using third-party tools to deploy the threat, such as cryptors or packers to thwart signature-based detection is no concern for the threat actors as the subscription comes with free cryptor as a package (Figure 2). Figure 2: Redline purchases options. Those tools are praised for the high level of service, and their management dashboard, much like the malware element, is reportedly straightforward to use. Notably, based on the analysis of recent samples and a changelog posted on the threat actor’s Telegram channel, the most recent release of Redline is version 20.2 (Figure 3) and introduced support for additional stolen data management options, notification management, logging, and bugs fixed which indicates the dedication and ongoing development of the product. Figure 3: Redline 20.2 release notes REDLINE CONTROL PANEL Redline subscribers have access to a local control panel from which they can generate and/or manage campaign configurations, build Redline malware payloads, and view data stolen from victims. Displayed in English by default, visitors to the control panel are prompted to login using the username and password (Figure 4) they presumably received when subscribing. Figure 4: Redline Login window. Credential verification is done via SOAP over HTTP POST request to a centralized authentication server stored in licensechecklive[.]xyz:8778. The request is uploaded to /IMainServer path with the attached SOAP envelope, containing the encoded login information and subscription ID (Figure 5). Figure 5: Redline Dashboard login attempt. Although access to this control panel requires an active Redline subscription and credentials, cracked versions of Redline dashboard has been leaked on several underground forums and git repositories over the last 6 months, providing the ability to use the dashboard to create and monitor Redline builds without the initial investment, causing this threat to become even more popular (Figure 6). Figure 6: Redline leaked version post. Notably, the control panel uses XML and text file resources that can be accessed without authentication and allow some of the current functionality to be determined. Furthermore, Redline 20.2 package includes text related to the user FAQ sections, both in English and Russian (Figure 7). Figure 7: Redline Panel Files List As mentioned, Redline panel makes use of three resource files for build operation: * chromeBrowsers.txt * geckoBrowsers.txt * Panel.exe.config While the text files contain all paths possible for the targeted browsers information (Figure 8), the main configuration for the stealer itself is explicit in the config file, such as Grabber functionality regex (Figure 9), domains relevant for session hijacking (Figure 10), Telegram Bot configuration for notifications (Figure 11) and applications checklist to steal credentials from (Figure 12). Notably, the panel can modify the configuration files to fit the threat actor interest and will be used by the stealer. Figure 8: Targeted browsers data paths Figure 9: Regex setting for grabbing txt, doc, key, wallet and seed files. Figure 10: Domains targeted for session hijacking. Figure 11: Telegram Bot configuration Figure 12: Applications, screenshot and FTP credentials grabbing configuration. Simplicity is the main virtue of Redline. Its control panel contains an intuitive menu (Figure 13) which its main fields are Logs received from the stealers, the Builder compiling the stealer’s samples, and Loader Tasks, which enables setting new tasks to the stealers such as running a cmd command, downloading and executing a file and open a link. Figure 13: Redline Panel Menu REDLINE STEALER COMMAND & CONTROL Although packing and distribution may vary between Redline stealers, the result remains the same. Based on the intelligence gathered from the Redline Stealer control panel and stealers samples found in the wild, on execution, each stealer attempts to communicate with predefined and hardcoded one or more servers via SOAP over HTTP POST request for further instructions (Figure 14) by posting to /Endpoint/EnvironmentSettings. Figure 14: C2 first connectivity. In response, the C2 server sends a SOAP envelope XML configuration containing information for the stealer to search (Figure 15), for example: * ScanChromeBrowsersPaths and ScanGeckoBrowsersPaths containing paths to targeted browsers. * ScanFilesPaths containing file types to look for in the users Desktop and Documents. Figure 15: Response instructions from the C2 to the stealer DATA THEFT The flexibility of Redline stealer enables the variety of potential content to steal and is not bound to serve one purpose only. However, the default setting includes the following as identified from recently analyzed samples: * Browsers: Google Chrome, Mozilla Firefox, Opera and those that are Chromium-based including Microsoft Edge. * Cryptocurrency Wallets: Redline searches for the commonly used filename wallet.dat * Hardware information: Processor, Graphic hardware, screen size. * OS information: Processes, Windows versions, Credentials. * Geolocation: city, country, zip code and IP using hxxps://api[.]ip[.]sb/geoip. Having completed both the data theft and information gathering stages, Redline generates an exfiltration XML Envelope SOAP message and uploads it to the C2, without using an encryption method, via an HTTP POST request to the path /Endpoint/SetEnvironment (Figure 16). Figure 16: Redline Stealer uploads stolen data to C2 Having completed both the data theft and information gathering stages, Redline generates an exfiltration XML Envelope SOAP message and uploads it to the C2, without using an encryption method, via an HTTP POST request to the path /Endpoint/SetEnvironment (Figure 16). RECOMMENDATIONS * Employee security awareness training remains an essential step in helping them identify and be suspicious of unsolicited emails and phishing campaigns, unusual communications via social media, especially messages with embedded links or file attachments that could lead to the deployment of additional malicious payloads. * Multi-factor authentication should be implemented wherever possible to limit the effectiveness of any stolen credentials. * Employees should be reminded of the risks associated with credential reuse and weak passwords supported by password policies to encourage best practice. * Ensure that email security controls are applied to limit the delivery of potentially malicious attachments or links to end-users, as well as implementing protocols and security controls such as DKIM, DMARC and SPF. * Continuous monitoring of unusual endpoint behaviors, such as requests to low reputation domains, can indicate compromise early. * Those who are using cryptocurrencies should consider the use of hardware-based wallets and ensure that payment addresses are verified before submitting a transaction. INDICATORS OF COMPROMISE SHA256 FILES HASHES The following samples were observed in August 2021 and may be beneficial for those seeking to further understand the nature of this threat: * 95f79fdcfb83a5035a2e3fa8621a653a0022925a9d1cb8729b8956db202fc3d8 * 9072f90e16a2357f2d7e34713fe7458e65aae6e77eeb2c67177cf87d145eb1a6 * f224b56301de1b40dd9929e88dacc5f0519723570c822f8ed5971da3e2b88200 * ffee20e0c17936875243ac105258abcf77e70001a0e8adc80aedbc5cfa9a7660 * 88ff40bd93793556764e79cbf7606d4448e935ad5ba53eb9ee6849550d4cba7f * 6be3a52cd5c077794a03f0596d1cbf3aee2635d268b03b476f6a2eaeb87d411c DOMAINS * licensechecklive[.]xyz -License check centralized server, Used for initial authentication of a Redline control panel user. URLS * licensechecklive[.]xyz/IMainServer IPS * 185[.]215[.]113[.]114 * 37[.]0[.]8[.]88 * 193[].142[.]59[.]119 * 136[.]144[.]41[.]201 HTTP HEADERS * SOAPAction: "hxxp://tempuri[.]org/IMainServer/Connect" * SOAPAction: "hxxp://tempuri[.]org/Endpoint/EnvironmentSettings" * SOAPAction: "hxxp://tempuri[.]org/Endpoint/SetEnvironment" * SOAPAction: "hxxp://tempuri[.]org/Endpoint/GetUpdates REFERENCES [1] https://github.com/rootpencariilmu/Redlinestealer2020 [2] https://t.me/Redlinesupports_botRedline Stealer Want to speak to our experts? Contact us! Share on Facebook Share on Twitter Share on LinkedIn Share on WhatsApp Share by Email RELATED ARTICLES Research Jan 29, 2021 BABUK LOCKER Based on observations throughout January, Babuk appears to be an actively developed threat, likely set... Research Jan 13, 2021 SOLARLEAKS A nefarious website was observed on 12 January 2021 and, presumably linked to the threat... Research Jan 5, 2021 SOLARWINDS ORION API LFI This blog provides an update based on recent observations involving SolarWinds in late December 2020... Beyond Digital Risk Protection Contact usSupport PLATFORM * Attack Surface Management * Threat Intelligence * Deep & Dark Web * Phishing Detection * Forensic Canvas * Dashboard & Reports * Social Media Monitoring INDUSTRIES * Financial Services * Retail & eCommerce * Media & Gaming * Healthcare * Digital Enterprises SERVICES * Virtual HumINT Operations * Deep Cyber Investigations * Threat Landscape Analysis * Attack Simulation * Takedowns & Remediation * 3rd Party Cyber Risk PARTNER * Partner Network * Partner Portal SOLUTIONS USE CASES * Phishing * Attackware * Brand Protection * Data & Ransomware * Fraud * Digital Footprint BY ROLE * Information Security * C-Suite * Marketing COMPANY * About Us * Contact Us * Careers * Events * News * Press Releases RESOURCES * Blog * Case Studies * Research * Videos * Brochures * Why DRP HEAR MORE FROM CYBERINT Subscribe to our newsletter I agree to Cyberint's Terms of Use and Privacy Policy * I agree to subscribe to receive updates from Cyberint * Cyberint Copyright © All Rights Reserved 2022 * Terms & Conditions * Privacy Policy * Site Map