RedLine stealer

What is RedLine Stealer

RedLine Stealer (a.k.a. RedLine) is malicious software that can be bought for $150/$200 depending on the version on hacker forums. It has the ability to steal data and infect operating systems with malware.

In general, cybercriminals try to infect computers with malicious software like RedLine Stealer to create cash by misusing accessed (stolen) information and/or infecting systems with additional software of this type for the same goal. If you have any cause to believe your computer has been infected with RedLine Stealer, delete it right away.

VirusTotal result of random RedLine file

RedLine Stealer can collect information from all Gecko- and Chromium-based web browsers, including logins, passwords, autofill data, cookies, and credit card numbers.
This information can be used by cybercriminals to gain access to a variety of accounts (e.g., social media, email, banking-related accounts, cryptocurrency wallets).

Stolen Logs through RedLine Stealer

They also use them to spread malware, start spam campaigns, conduct fraudulent transactions and purchases, mislead others into sending money, steal identities, and so on. RedLine Stealer may capture files from compromised systems by collecting data from various FTP (File Transfer Protocol) and IM (Instant Messaging) clients.

It can also capture system data such as IP addresses, usernames, keyboard layouts, UAC settings, security solutions installed, and other information. This nasty application is capable of infecting systems with further infections (download and execute malicious files).

Cryptocurrency miners use computer hardware to mine cryptocurrency, while ransomware-type programs encrypt files (causing data loss), Trojans can generate chain infections (installing more malware), and RATs allow criminals to take control of an infected machine and do dangerous operations.

How RedLine Works

A dedicated WSDL application connects the RedLine Stealer to a remote command-and-control server. The hackers in command can browse through search records, download, conduct tasks, and export the data they want using that server.

Security researchers have determined that the RedLine Stealer’s wide-ranging capabilities are as real as they get after conducting a thorough investigation of the program. RedLine’s qualities, when combined with its cheap asking price, make it a highly dangerous malware piece. Overall, the fact that anyone wanting to pay $150-$200 for such a weapon can get their hands on one adds to its potency.

RedLine Software sale on Deepweb Forum

Given its frequent upgrades, it’s reasonable to believe that RedLine’s creators will continue to improve the tool’s functionality when new targets emerge. In this regard, it’s unlikely that RedLine will introduce supplementary malware payloads soon. The global coronavirus pandemic is being used as a backdrop for a growing number of social-engineering scams, and this trend is unlikely to change very soon.

RedLine User Log Sales on Deepweb

The RedLine Stealer is very likely to have spread across the world since it is available to anyone who would like to pay the price for software. That is why no users are confidential against a potential RedLine Stealer infection.

Fig. 1 Redline Stealer Official Telegram Account

Using third-party tools to deploy the threat, such as cryptors or packers to thwart signature-based detection is no concern for the threat actors as the subscription comes with free cryptor as a package

Fig. 2 RedLine Purchase Options

Those tools are praised for the high level of service, and their management dashboard, much like the malware element, is reportedly straightforward to use. Notably, based on the analysis of recent samples and a changelog posted on the threat actor’s Telegram channel, the most recent release of Redline is version 21.2 (Figure 3) and introduced support for additional stolen data management options, notification management, logging, and bugs fixed which indicates the dedication and ongoing development of the product.

Fig. 3 RedLineb 21.2 version Notes

How RedLine Stealer Can Affect You?

RedLine Stealer victims may suffer money loss, data loss, identity theft, privacy issues, personal and corporate account theft, and other major consequences.
As a result, To reduce your chances of becoming a victim of danger like the RedLine Stealer, download and install a legitimate anti-virus software suite that will safeguard your system and data. Also, remember to apply all pending updates to all of your applications regularly.

Compromised accounts of a machine through RedLine

Recommendations

• Employee security awareness training is still critical in helping them recognize and be suspicious of unsolicited emails and phishing campaigns, as well as strange social media communications, particularly messages including embedded links or file attachments that might lead to the distribution of further malicious payloads.
• To reduce the effectiveness of any stolen credentials, multi-factor authentication should be always used.
• The organization should mandate strong password policies to all employees
• Ensure that email security precautions are taken to prevent end-users from receiving potentially malicious attachments or links, as well as configuring protocols and security controls like DKIM, DMARC, and SPF.
• Continuous monitoring of abnormal endpoint behaviors, such as requests to domains with a low reputation, can detect intrusion early on.

Indicator of Compromise

SHA256 files hashes

Sample hashes from August 2021. Might be useful for better understanding the nature of this threat:

• 95f79fdcfb83a5035a2e3fa8621a653a0022925a9d1cb8729b8956db202fc3d8
• 9072f90e16a2357f2d7e34713fe7458e65aae6e77eeb2c67177cf87d145eb1a6
• f224b56301de1b40dd9929e88dacc5f0519723570c822f8ed5971da3e2b88200
• ffee20e0c17936875243ac105258abcf77e70001a0e8adc80aedbc5cfa9a7660
• 88ff40bd93793556764e79cbf7606d4448e935ad5ba53eb9ee6849550d4cba7f
• 6be3a52cd5c077794a03f0596d1cbf3aee2635d268b03b476f6a2eaeb87d411c

Domains

• licensechecklive[.]xyz -License check centralized server, Used for initial authentication of a Redline control panel user.

URLS

• licensechecklive[.]xyz/IMainServer

IPS

• 185[.]215[.]113[.]114
• 37[.]0[.]8[.]88
• 193[].142[.]59[.]119
• 136[.]144[.]41[.]201

HTTP Headers

• SOAPAction: "hxxp://tempuri[.]org/IMainServer/Connect"
• SOAPAction: "hxxp://tempuri[.]org/Endpoint/EnvironmentSettings"
• SOAPAction: "hxxp://tempuri[.]org/Endpoint/SetEnvironment"
• SOAPAction: "hxxp://tempuri[.]org/Endpoint/GetUpdates

sources:
https://socradar.io/what-is-redline-stealer-and-what-can-you-do-about-it/