Intro

• In this post, I will cover the details of my analysis for info-stealer malware called RedLine stealer which is currently one of the trends. Regarding the case covered in this post, the malware masquerades as a cheating module for the GTA game.

The kill-chain

• The following diagram shows the flow of attack from the initial access to communication with the C2 server.

  (The kill-chain Diagram)

  Delivery stage

  • The malware is distributed as a cheating module for the GTA game on some websites and delivered when it gets downloaded by gamers.

  • The below screenshot shows a text file that exists in the same folder with the infection first stage executable, trying to give the user confidence that it’s a non-malicious cheating module by showing instructions and features.

  (Snippet for the instructions text file)

  Installation stage

  • Once the executable GTA_hlMWYG.exe is executed, a DLL file gets loaded and its main function gets executed. This DLL is protected by Enigma Protector which is proofed by the unique exported functions names as appears below.

    (Exported functions of the loaded DLL)

  • As appears in the below screenshot, the loaded DLL file then executes a process called AppLaunch.exe in suspend mode and then injects the RedLine PE file into the memory of the suspended process.

    (Injecting RedLine inside AppLaunch process)

  The Command and Control stage

  • Once the RedLine is executed, it checks the status of the C2 server.

  • If the C2 server is up, they both start communicating using SOAP messages over TCP protocol to make it harder to detect than the previous RedLine version that used the SOAP over HTTP protocol that is humanly readable and easily detected.

Deobfuscating the strings obfuscations

• Before digging deeper into the malware functionalities, I deobfuscated the RedLine strings obfuscation using a redline-deobfuscator that I developed.

Countries of interest

• The countries that are not included in the below array are interesting targets for RedLine.

  (Protected list of countries)

• The RedLine will start executing its functions if the infected device’s local time-zone Id, current culture, and current UI culture aren’t related to any of the previous countries list.

  (Checking whether the infected device is interesting target)

Malware Configuration decryption

• The below screenshot is for a class that represents the encrypted malware configuration. It consists of the following fields:

  • IP that contains encrypted C2 IP(s)
  • ID that contains encrypted sample ID.
  • Message represents a message to display however it’s empty in this case.
  • Key represents the decryption key.
  • Version represents a version of the malware.

  (Checking whether the infected device is interesting target)

• Three simple operations do the decryption of both IP and ID fields.

  1. Applying base64 decoding for the encrypted strings as appeared below.

     (Base-64 decoding for the encrypted strings)

  2. Then XORing the decoded string from the previous operation with the Key which in our case is Detersions

     (XORing the decoded string with a key)

  3. Finally, apply the base64 decoding for the output of the last operation.

• Below is the decoded configuration.

  (Decrypted RedLine configuration)

Establishing a network connection

• The malware will set a communication channel that uses SOAP over TCP which makes the SOAP messages sent in a binary-encoded format that is not easily get decoded.

• Also, it does not validate a certificate as it sets certificate validation mode to none. Additionally, it provides an authorization value equal to 4e6fb2a9ee1dcdfaa807aab6c0f5a16d to enable the sample access to a specific.

  (Establishing a communication channel)

Fetching the settings from C2

• After establishing the communication channel and ensuring that C2 is alive, the RedLine will start fetching the settings from the C2, as appears below.

  (Fetching the settings)

• The below screenshot is for the settings, and it consists of the following types of fields:

  1. Boolean fields that act as switches for whether do specific functionality or not.

  2. List of file patterns to exfiltrate.

  3. List of paths and profiles for browsers and applications, to steal important data from their files like cookies and login data.

  4. List of wallet information in which every object in the list contains wallet application name, paths, and patterns for the files to exfiltrate to the C2 server.

  (The fetched settings)

Fingerprinting the infected machine

• For every infected device, the RedLine will try to fingerprint the infected machine by collecting the following information and sending them to the C2.

  • First, It will try to extract the public IPv4 if any of the C2 addresses has a port equal to 80 or 81. Otherwise, it returns the string unknown.

    (Extracting public IP for the infected machine)

    (Saving the public IP to struct)

  • Also, it collects information about whether the machine is pre-infected or not. If it finds a folder named SystemCache exists within the last 10 days, then it will return true, indicating that the machine is already infected.

    (Checking if machine is pre-infected)

    (Saving boolean value for pre-infection status to struct)

  • Finally, it gathers the following listed information and then sends all of them to the C2, as appears in the below screenshot.

    1. The Username for the current thread.

    2. The Virtual display size.

    3. The Current input language that is used at the moment.

    4. The Windows version, represented by a string that concatenates the operating system bitness (32/64 bit) and value of the ProductName at the registry path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion.

    5. The Disk location of the executing RedLine sample.

    6. The Device signature is estimated by the computation of the MD5 hash for the concatenation of Username, UserDomainName, and a Disk drive’s serial number.

    (Collecting and sending device information to C2)

Collecting Hardware information

• RedLine collects and sends the following hardware specifications to C2:

  1. The installed Processor(s) names and their number of cores.

     (Collecting Processors specifications)

  2. The installed Graphics card(s) names and their adapter RAM sizes.

     (Collecting Graphics cards specifications)

  3. The installed RAM size is in bytes and megabytes units

     (Collecting RAM size)

Collecting installed browsers’ information

• RedLine retrieves information like names, paths, and versions for the installed browsers and sends them to the C2 server.

  (Retrieving the installed browsers’ information)

Listing the installed programs

• RedLine lists all the installed programs’ names and versions and then sends the list to the C2 server.

  (Listing the installed programs)

Finding the installed security products

• RedLine collects the names of the installed Antivirus, AntiSpyWare, and Firewall products and sends these names to the C2 server.

  (Collecting the installed security products names)

Retrieving the running processes

• RedLine retrieves information like ID, Name, and CommandLine for the running processes. After that, it sends them to the C2 server.

  (Retrieving the running processes information)

Listing the available languages

• RedLine collects all available input languages and then exfiltrates them to the C2 server.

  (Retrieving the available languages)

Stealing Telegram application files

• RedLine searches for the Telegram application directory called tdata where application data like session data, messages, and images are stored. Also, it looks for other tdata sub-directories whose names are 16 characters long.

  (Searching for Telegram application data directory)

• Then, it steals all the files under the previously mentioned directories and exfiltrates them to the C2 server.

  (Stealing files under Telegram application data directory)

Stealing data from browsers and applications

• RedLine searches a list of profile paths received within the settings, to locate the browsers’ databases to steal data records like cookies, saved login, auto-fills, and credit cards as appeared below.

  (Stealing a browsers’ data)

• These previously mentioned databases are:

  • Cookies, to extract records of the cookies table.

  • Extension Cookies, to extract records of the cookies table.

  • Network\\Cookies, to extract records of cookies table

    (Extracting cookies records)

  • Login Data, to extract records of the logins table which contains saved logins.

    (Extracting login data records)

  • Web Data, to extract records for tables like autofill containing auto-fill data and credit_cards holding saved credit cards’ data.

    (Extracting auto-fill records)

    (Extracting credit cards records)

• Also, it tries to steal cookies from Firefox-based browsers by searching for a database called cookies.sqlite.

  (Stealing Firefox-based browsers cookies)

• If it finds the cookies.sqlite database, Then, it extracts the cookies records from the table named moz_cookies.

  (Extracting cookies from moz_cookies table)

• Below is the list of browsers and applications whose data are stolen.

  Targetted browsers and applications

  
  Battle.net - Chromium - Chrome - Opera Software - ChromePlus - Iridium - 7Star - CentBrowser Chedot - Vivaldi - Kometa - Elements Browser - Epic Privacy Browser - Uran - Sleipnir5 - Citrio Coowon - liebao - Orbitum - Comodo Dragon - Amigo - Torch - Yandex - 360Browser - Maxthon3 K-Melon - Sputnik - Nichrome - CocCoc - Chromodo - Mail.Ru Atom - Brave-Browser - Microsoft Edge - NVIDIA GeForce Experience - Steam - CryptoTab Browser - Mozilla Firefox - Waterfox - Thunderbird - Comodo IceDragon - Cyberfox - BlackHaw - Pale Moon - QIP Surf

Collecting FileZilla Credentials

• RedLine searches for the FileZilla XML files like recentservers.xml and sitemanager.xml which contain login credentials for FTP servers.

  (Looking for FileZilla credentials files)

• Once it finds them it extracts all host’s URLs, username,s and passwords and send them to the C2 server.

  (Extracts stored FTP servers’ credentials)

Taking a screenshot

• RedLine copies the screen and converts it to bytes in order to send it to the C2 server.

  (Taking a screenshot)

Exfilterating files matching received patterns

• RedLine exfiltrates the files that match any of the patterns that exist in the received settings. Every pattern string has the format Disk path | regex1, regex2,regex3, … | search-option constant value. The below are received patterns from C2.

  • %userprofile%\Desktop | *.txt,*.rtf,*.doc*,*key*,*wallet*,*seed*,*.jpg,*.jpeg,*.png,*.pdf |0
  • %userprofile%\Documents | *.txt,*.rtf,*.doc*,*key*,*wallet*,*seed*,*.jpg,*.jpeg,*.png,*.pdf |0
  • %userprofile%\Downloads | *.txt,*.rtf,*.doc*,*key*,*wallet*,*seed*,*.jpg,*.jpeg,*.png,*.pdf |0

• If the disk path field equals %DSK_23%, then it will search all logical drives to find and exfiltrate the matched files.

  (Searching all logical drives for matched files)

• In case of the disk path does not equal %DSK_23%, then it will search inside that path based on the search option value, to find matched files.

  (Searching inside a specific path for matched files)

• Also, note that in all cases, the exfiltrated file mustn’t be more than 3097152 bytes and the summation of exfiltrated files’ sizes mustn’t be more than 52428800 bytes.

Stealing Crypto wallets files

• RedLine looks for the directories that contain any of the files named wallet.dat or wallet and then exfiltrates all the files in these directories that match the regex pattern ”*wallet*“.

  (Looking for wallet files)

• Additionally, it searches for the following folders of crypto and authenticator extensions inside the browsers paths. When it finds these folders, it will exfiltrate all their files as regex ”*“ is specified.

  (Stealing files of Crypto wallets browser extensions)

• Finally, It steals files from the list of crypto wallets in the received settings. The following table contains the name of the targetted crypto wallet applications, directories to search, and file matching patterns for every directory to exfiltrate to C2.

Stealing Discord tokens

• RedLine searches the directory with path \%appdata\%\discord\Local Storage\leveldb, to look for the files matching any of the following regex patterns:

  • *.log
  • *.ldb

  (Searching for discord files)

• After that, it looks into the matched files to find the tokens using the regex [A-Za-z\\d]{24}\.[\\w-]{6}\.[\\w-]{27}.

  (Finding the discord tokens)

• Finally, it saves these tokens under a text file called Tokens.txt and uploads it to the C2 server.

  (Saving the tokens into a text file)

Collecting Steam files

• Redline searches the installation path for Steam to steal the files with the following patterns:

  • *ssfn*, the files that match this pattern can be used to do auto-login.
  • *.vdf, the files that match this pattern contain usernames that are logged in and configurations.

(Stealing Steam application files)

Stealing VPN files

• RedLine targets the VPN applications’ files, for example, it looks for the files that match the *ovpn pattern inside application data folders for OpenVPN and ProtonVPN.

  (Stealing ovpn files for OpenVPN)

  (Stealing ovpn files for ProtonVPN)

• Also, it looks for XML files with the name user.config inside the application data folder for the NordVPN, to steal the saved usernames and passwords.

  (Stealing NordVPN Credentials)

The detection and tracking of RedLine

The below is YARA rule for detecting and tracking RedLine stealer.

RedLine YARA rule

import "pe"

rule RedLine_Rule{

  meta:
   author = "Oviche"
   description = "Yara rule for Redline stealer"
  
  strings:
   $s1 = "%DSK_23%" wide
   $s2 = "api.ip.sb/ip" wide
   $s3 = "SystemCache" wide
   $s4 = "autofill" wide
   $s5 = "Total of RAM" wide	
   $s6 = "Local State" wide	
   $s7 = "logins" wide
   $s8 = "SerialNumber" wide
   $s9 = "AdapterRAM" wide
   $s10 = "ProcessId" wide
   $s11 = "recentservers.xml" wide
   $s12 = "sitemanager.xml" wide

  condition:  
   uint16(0) == 0x5A4D and
   pe.imports("mscoree.dll", "_CorExeMain") and
   pe.imphash() == "f34d5f2d4577ed6d9ceec516c1f5a744" and
   all of ($s*)
}

Indicators of compromise (IOCs)