RedLine stealer - October 2021

Below is a summarised analysis of an executable sample Demystify Cyber obtained and analysed on 3 October 2021.

BLUF

RedLine Stealer is a data and credential theft malware sold in underground markets as the malware itself or as malware as a service on a subscription basis. As far as I have researched, the vector appears to be via links in malicious emails, malvertising (online adverts with embedded malware), and non-genuine or cracked software. The sample I analysed had the ability to harvests creds and files from the infected machine, input a keylogger, and steal stored passwords and internet history from browsers. .

Recommendations

Be cautious opening unsolicited emails and do not click on included links or open included attachments

Use up to date reputable AV solution and perform regular full scans

Do not store passwords in your browser or on your computer

Keep software/OS patched

Do not download software through torrents, third party installers or non-official sources. Check your Windows task manager, Redline stealer often appears as "AddInProcess.exe"

Mitre Att&ck framework

1. Initial execution

T1047: Windows Management Instrumentation - uses WMI queries to check for any antivirus and firewall applications

T1106: Native API – has an API chain that is evasive (GetModuleFileName,DecisionNodes,Sleep) and has function to determine API calls

2. Persistence and privileged access

T1547.008: LSASS Driver – enables driver privileges on infected machine

T1546.011: Application Shimming – uses GetProcAddress to hide API calls

T1548.002: Bypass User Access Control – disables Windows Defender ( HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection DisableIOAVProtection 1)

T1055: Process Injection – injects a PE file, maps a DLL into another process, injects code into remote processes, and then spawns processes

3. Evasion

T1562.001: Disable or Modify Tools - Changes security settings, stopping notifications, updates, antivirus, and firewall

T1140: Deobfuscate/Decode Files or Information – .NET code calls to encryption/decryption functions (Source: file3[1].exe.0.dr, u0037547DFCF.cs. Cryptographic APIs: 'CreateDecryptor')

T1027: Obfuscated Files or Information – incudes code obfuscation and binary includes encryption

T1497: Virtualization/Sandbox Evasion – has sleep cycles to evade dection and functionality to dynamically detect a virtual envroinment

4. Steals Credentials

T1003: OS Credential Dumping – harvest all browser information incuding any stored credentials

T1056: Input Capture – contains a keylogger

5. System Discovery

T1083: File and Directory Discovery – runs directory queries to discover user files

T1012: Query Registry -it queries and monitors regstery (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate) to protect autostart

6. Collection and communication

T1560: Archive Collected Data – functionality to compress and encrypt stolen databefore it exfiltrates it

T1005: Data from Local System – searches for credentials, accounts, and any sensitive user information to collect and exfiltrate

T1056: Input Capture – drops a keylogger

T1105: Ingress Tool Transfer – can download and receive instruction and drop additional payloads

T1573: Encrypted Channel – malware contains encryption function

Written by A. Turner

© A. Turner 2021 https://www.demystifycyber.com.au/

Provided for general information and education purposes