RedLine is an information stealer which is being sold via “Malware as a Service (MaaS)” model. RedLine is targeted towards Windows users and can gather information like login credentials for web browsers & FTP applications like Filezilla, credit card number stored on web browsers, popular crypto wallets, login data for IM services like Discord. It had popped up in various underground forums in  early 2020. A subscription to RedLine starts from $150 per month to $800 for lifetime access and can easily be purchased from their Telegram channel in exchange for payment in bitcoin. A free packer is also provided with each subscription which can be used to custom pack the executable to evade signature-based detections. With the rise of organized cybercrime, MaaS has been steadily gaining popularity even among novices.

Figure 1: Official RedLine Telegram Channel 

Going through the RedLine Telegram channel, we can see an update was announced in the first week of November 2021 with the version number 22.3. This shows that the authors of RedLine Stealer are still active and constantly working on improving the functionality of their product. 

Figure 2: Recent update for RedLine Stealer

However, a cracked version of RedLine Stealer was leaked on several underground forums as shown in Figure 3 which provided us with a glimpse of the functionality of the RedLine malware from the perspective of threat actors and how easy it is to manufacture your own malicious executables. It was also accompanied by a FAQ document containing installation notes and some information about the files present in the toolkit.

Figure 3: Screenshot from an underground forum

Let us now look at the control panel of the RedLine Stealer malware. A username and password is needed to login to the C&C panel which would have been supplied along with the subscription. The control panel runs as a dedicated windows server rather than being a web panel. 

Figure 4: RedLine login prompt

Upon logging in, we are greeted by a simple looking GUI. It contains the functionality to 

  • Display logs of infected machines 
  • Sorting and searching logs
  • Option to blacklist  countries, IPs
  •  Load tasks on infected machines
  • Block IP or Hardware ID of infected machines
  • Select what data is to be harvested
Figure 5: RedLine control panel

Credential verification is done via SOAP over HTTP POST request. SOAP or Simple Object Access Protocol is a messaging protocol used for exchanging structured information. The request contains encoded login and subscription details to be verified by an authentication server hosted by the malware authors as shown in Figure 6.

Figure 6: POST request for credential validation

The control panel uses certain text files and a config file to read and forward it to the Redline clients. chromeBrowsers.txt and geckoBrowsers.txt contain the list of targeted browsers present on a target machine. 

Figure 7: Name of targeted browsers present in chromeBrowsers.txt

Meanwhile Panel.exe.config contains config data like domains to be targeted for session hijacking and regular expression for targeted file paths including that of cryptocurrency wallets and seed phrases for the client.

Figure 8: Targeted websites like Banks, Crypto Exchanges and E-commerce sites

It also uses serviceSettings.json to store port numbers for communications and telegramChatsSettings.json for storing details about the telegram bot which automatically sends details of new infected machines.

Now that we have looked at the C&C panel, let us take a close look at how Redline communicates with the C&C panel. Redline Stealer comes with the functionality of hardcoding the hacker server and port, along with a unique BuildID.

Figure 9: Entry point for RedLine Binary

An interface by the name of  IRemoteEndpoint, is assigned the responsibility to facilitate communications between Redline client and the webserver.

Figure 10: IRemoteEndpoint Interface

RedLine Stealer then tries to connect to the C&C server as soon as it is executed. Two functions RequestConnection() and TryGetConnection() are used. RequestConnection() attempts to open a channel to the webserver and TryGetConnection() sends a SOAP request via HTTP POST.

Figure 11: Implementation of RequestConnection() and TryGetConnection()
Figure 12: SOAP request from Redline client to C&C panel

The first time the  Redline client takes instructions from the web server, it calls TryGetArgs() which sends a SOAP request over HTTP POST to the server.

Figure 13: Implementation of TryGetConnection()

In response, the web server replies with  a request with the targets mentioned In chromeBrowser.txt , geckBrowser.txt and the configuration details for the Redline client.

Figure 14: Request sent from C&C with targeted files

Then Redline client in return shares all the data it has gathered from the infected host via another HTTP POST request 

Figure 15: Harvested data being sent to C&C

It can further communicate with the web server and get updates or any other tasks that are to be executed on the infected host machine.

Now that we know how the Redline client contacts the web server, let us have a closer look at what all data can this Stealer exfiltrate. RedLine Stealer can be highly customized based on regex patterns that can be fed into the exe at the time of building the Redline client. As like all the typical information stealers, RedLine gathers information of the infected machine like the IP address, what all processes are running on the machine and what is the build of the machine like the amount of RAM installed on machine and processor information.

Class GeoHelper is used for downloading IP details of the infected machine. It can further contact and  to pull IP data in case any one of them fails to send back data to the Redline  client.

Figure 16: Class GeoHelper

Similarly, class SystemInfoHelper extracts various details about the machine like processor type, graphic card type, information about the firewall and running processes.

Figure 17: Class SystemInfoHelper

Moving on to the main USP of RedLine Stealer, it detects if any crypto wallets are present on the machine. A simple search is performed on the file system based on “pattern” ending with “wallet”.

Figure 18: Method for detecting Crypto wallets

There are a few explicitly mentioned functions for crypto wallets targeting Metamask, Armory, Coinomi,  Guarda and Exodus.

RedLine Stealer can also  gather VPN details of popular VPN clients like NordVPN, OpenVPN and ProtonVPN.

Figure 19: Method for detecting OpenVPN

As shown earlier in the blog, RedLine Stealer is also capable of extracting username and passwords of web browsers installed on the machine including cookies,  credit card information stored in the browser and AutoFill data. A class named ScannedBrowser is implemented to achieve this.

Figure 20:  Browser data to be exfiltrated 

C_h_r_o_m_e class, implements the methods of FileCopier class to populate the data in ScannedBrowser class. C_h_r_o_m_e class implements methods to scan passwords and decrypt passwords stored in base64.

Figure 21: Method for exfiltrating data

RedLine Stealer targets FTP clients as well.  This is implemented by class FileZilla which scans the files for the FileZilla folder and the ScanCredentials method is used to extract login information.

Figure 22: Method for detecting credentials of FileZilla

RedLine Stealer also has the capability to extract credentials of IM services like Discord and Gaming services like Steam. Class GameLauncherRule uses native Registry key functions to check if Steam is installed on the machine then grabs the SSFN file which contains user data. 

Figure 23: Method for detecting Steam credentials

By providing RedLine Stealer as Malware-as-a-Service, it’s authors are bringing cybercrime operations to the masses making it very popular. As we see in the blog, RedLine Stealer is easy to use with a very simple GUI for its C&C; making it highly desirable for someone having little technical knowledge. Along with the FAQ, it is very easy to set up your own cybercrime operation. With the leaked version being posted on many forums, it will surely be more popular in the near future.  So users are requested to use a reputed security product like K7 Total Security to protect their devices and keep it up-to-date to stay safe.

Indicators Of Compromise (IOCs)

                    MD5File NameK7 Detection Name
b160ce13f27f1e016b7bfc7a015f686bTue05654693e4079.exe Trojan-Downloader (00581f111)
a2f6561c95f5fff9775ed41fdb105b03Thu16326b5c15bb1.exe Riskware (0040eff71)
FC39A6ED50506F88EAF39130CE4DEB7CFri06f35076c1a8ba.exeTrojan (005731c01)

Like what you're reading? Subscribe to our top stories.

If you want to subscribe to our monthly newsletter, please submit the form below.

    0 replies on “RedLine Stealer – The MaaS Info Stealer”