Full Report
Following the takedown of RedLine Stealer by international authorities, ESET researchers are publicly releasing their research into the infostealer’s backend modules
Analysis Summary
# Tool/Technique: RedLine Stealer / RedLine Operation
## Overview
RedLine Stealer is an infamous information-stealing Malware-as-a-Service (MaaS) operation, first discovered in 2020. It is sold to affiliates who use a turnkey solution to run campaigns for data exfiltration. The operation was recently targeted in a significant international takedown effort named Operation Magnus.
## Technical Details
- Type: Malware family / MaaS Operation Infrastructure
- Platform: Windows (Implied, based on targets like browser credential theft)
- Capabilities: Stealing credentials, cookies, saved credit card details, cryptocurrency wallet data, and saved data from applications like Steam, Discord, Telegram, and VPNs. The operation involves the malware, a control panel (GUI), and a backend module system.
- First Seen: 2020
## MITRE ATT&CK Mapping
- **[T1566 - Phishing]** (Implied threat delivery vector, seen in phishing campaigns)
- *Note: Specific T1566 sub-techniques are not detailed for the malware itself, but the context mentions campaigns posing as ChatGPT and game cheats.*
- **[T1059 - Command and Scripting Interpreter (Execution)]** (Implied, as malware must execute)
- **[T1608 - Acquire Infrastructure]**
- [T1608.002 - Obtain Capabilities: Code Signing Certificates]
- [T1608.001 - Stage Capabilities: Upload Malware]
- **[T1027 - Obfuscated Files or Information]**
- [T1027.002 - Software Packing] (Panel packed using DNGuard and BoxedApp)
- **[T1622 - Debugger Evasion]** (Panel terminates on debugger detection)
- **[T1132 - Data Encoding]**
- [T1132.001 - Standard Encoding] (Extensive use of Base64)
- **[T1573 - Encrypted Channel]**
- [T1573.001 - Symmetric Cryptography] (AES encryption for C2/dead-drop content)
- [T1573.002 - Asymmetric Cryptography] (RSA encryption for C2/dead-drop content)
- **[T1071 - Application Layer Protocol]**
- [T1071.001 - Web Protocols] (Recent versions use REST API over HTTPS)
- **[T1095 - Non-Application Layer Protocol]** (Older communication used WCF Framework over TCP)
- **[T1102 - Web Service]**
- [T1102.001 - Dead Drop Resolver] (Uses GitHub repositories)
- **[T1571 - Non-Standard Port]** (Guest Links functionality uses HTTP on port 7766)
## Functionality
### Core Capabilities
- Information theft from web browsers (credentials, cookies, credit cards).
- Exfiltration of data from cryptocurrency wallets, Steam, Discord, Telegram, and VPN applications.
- Modular backend system providing authentication and functionality for the control panel.
- Control panel allows affiliates to manage campaigns, generate unique malware samples, and receive stolen data.
### Advanced Features
- **Infrastructure Communication:** Older versions used Windows Communication Framework (WCF) over TCP. Latest versions utilize a REST API over HTTPS.
- **Encryption:** Communications between the panel and backend server employ AES (Symmetric) and RSA (Asymmetric) encryption.
- **Dead Drop Resolver:** Utilizes GitHub repositories to locate backend server addresses dynamically.
- **Anti-Analysis:** The RedLine panel employs debugger evasion techniques to terminate if analysis tools are detected.
- **Code Signing:** RedLine panels are signed with certificates issued to AMCERT,LLC.
- **Packing:** Panel samples are obfuscated using software packers like DNGuard and BoxedApp.
## Indicators of Compromise
- File Hashes: [Not explicitly listed in the provided text]
- File Names: [Not explicitly listed in the provided text]
- Registry Keys: [Not explicitly listed in the provided text]
- Network Indicators:
- GitHub repositories used as dead-drop resolvers.
- Default port 7766 for Guest Links HTTP server.
- C2 servers/domains seized or disabled during Operation Magnus (Specific IPs/domains were not listed, only the *location* of infrastructure).
- Behavioral Indicators:
- Use of Base64 encoding in network communications.
- Communication patterns consistent with WCF over TCP or REST/HTTPS calls.
## Associated Threat Actors
- **Operator:** The developer/seller of the RedLine MaaS platform.
- **Affiliates:** Entities purchasing or cracking licenses to deploy the infostealer in campaigns (e.g., posing as ChatGPT or game cheats).
- **META Stealer creator:** Determined to share the same creator as RedLine.
## Detection Methods
- **Signature-based detection:** Signature development is possible against packed binaries (DNGuard/BoxedApp) or known WCF/REST communication signatures.
- **Behavioral detection:** Monitoring for network beaconing using non-standard encryption methodologies (AES/RSA layers over standard protocols). Detection of connections to known GitHub dead-drop repositories.
- **YARA rules:** Not explicitly mentioned, but possible for packed executables or artifacts related to WCF/RSA usage.
## Mitigation Strategies
- **Operation Takedown:** Law enforcement actions like Operation Magnus can disrupt the MaaS infrastructure.
- **Application Control:** Restricting application execution, especially downloaded files disguised as legitimate software (game cheats, utility updates).
- **Network Monitoring:** Implement strict egress filtering or monitoring for unusual TCP connections or HTTPS traffic patterns that might indicate WCF/REST C2 activity.
- **Endpoint Hardening:** Robust endpoint detection/prevention capable of detecting debugger evasion or software packing techniques.
## Related Tools/Techniques
- **META Stealer:** A clone of RedLine malware sharing the same creator.
- **DNGuard/BoxedApp:** Tools used for packing the RedLine components.