Destroying Redline Stealer and CypherIT
Situation
Muta from SomeOrdinaryGamers uploaded a video on Redline Stealer on Aug 14, 2022, which infected Martin Shkreli. The purpose of this analysis is to destroy Redline Stealer (specifically the version that infected Martin Shkreli), beginning to end. We will be writing our own configuration extractor, compiling our own version of Redline Stealer in Visual Studio (without source code), write detection signature and tear apart every aspect of the attack chain. The entire live video series of reverse engineering this is available on YouTube for everyone!
If you wish to support my work, you can buy me a coffee here.
Executive Summary
- Redline Stealer has the ability to communicate with multiple C2 hosts.
- Redline Stealer has the ability to present a message box to the user upon execution.
- Redline Stealer communicates with the C2 server using Simple Object Access Protocol (SOAP).
- Redline Stealer exits if it detects the infected machine is from a near Russian countries.
- Redline Stealer executes its modules in random order to potentially evade heuristic detection.
Delving into the intricate world of an information-stealing malware known as Redline Stealer, we explore its structure and functionality. With a specific focus on Windows-based systems, Redline Stealer demonstrates capabilities such as arbitrary command execution, downloading additional payloads and the exfiltration of sensitive data. Our analysis uncovers the various infection vectors employed, shedding light on the methods used to distribute Redline Stealer. To empower our readers, we provide practical recommendations to mitigate the risk to defend against Redline Stealer and CipherIT. This comprehensive resource is essential for cyber-security professionals and researchers seeking to understand Redline Stealer’s intricacies and adopt proactive measures to safeguard against its impact.
Infection Chain
The infection chain starts with a download of [BigTitsRoundAsses] 17.12.14 - Jazmyn [1080p].scr
(installer) from pornleech[.]ch
, which creates three files, an AutoIt interpreter, Batch script, and AutoIt script. The batch script is executed with cmd.exe
by the installer. The process of the initial infection is indicated in Figure 1.
Obfuscated BAT Script
Once extracted, the installer executes cmd /c cmd < Quella.mp3 & ping -n 5 localhost
, which executes tasklist
to identify if PSUAService.exe
(PandaAV) is currently running. If the process is not running, it uses autoit.exe
as the file name for the AutoIt interpreter. Otherwise, the AutoIt interpreter is named Magenta.exe.pif
.
Next, the magic bytes MZ
is written to the start of the file to contain the AutoIt interpreter. Once written, the file %TEMP%\Che.mp3
is filtered by findstr
to exclude the string a string (Figure 2), which results in writing the rest of the AutoIt interpreter to the %TEMP%
directory as either autoit.exe
or Magenta.exe.pif
. Next, %TEMP%\Travolge.mp3
is moved to the file %TEMP%\i
, which is then executed with the AutoIt interpreter (Figure 2).
|
|
Figure 2: Redline Stealer Deobfuscated Batch Script
CipherIT (AutoIT Script)
Next, the AutoIT interpreter executes i
. Then the AutoIT script performs process hollowing, creates the process jsc.exe
in suspended mode, hollows the process then injects the process with Redline Stealer.
|
|
|
|
The AutoIt script decrypts the payload by performing the following:
- Allocating executable memory
- Writes the shellcode depending on architecture to the executable memory space
- Executes the shellcode by calling
CallWindowProc
, using thelpPrevWndFunc
parameter as the pointer to shellcode for the first stage of RC4 decryption, theMsg
parameter as the pointer to the RC4 decryption key, and thewParam
parameters as the RC4 key length. - Calls
CallWindowProc
again, with thelpPrevWndFunc
pointing to the function responsible for the decryption routine for RC4, theMsg
parameter pointing to the cipher-text, and thewParam
, pointing to the ciphertext length. - The last call to
CallWindoProc
, returns the decrypted data, which is LZNT1 compressed - The LZNT1 compressed data, is decompressed by calling
RtlDecompressBuffer
usingCOMPRESSION_FORMAT_LZNT1
Once the CipherIT has performed decryption using RC4 and decompression using LZNT1 to extract Redline Stealer, CipherIT calls kernel32.CreateProcessW
to create the process %WINDOWS%\Microsoft.NET\Framework\v4.0.30319\jsc.exe
in suspended mode.
|
|
Figure 1. CipherIT Shellcode RC4 Decryption Key
Next, CipherIT copies %WINDOWS%\System32\ntdll.dll
to %CD%\swSOYnMH.dll
. Once completed, CipherIT, uses the AutoIT function DllCall
to call future ntdll.dll
APIs from %CD%\swSOYnMH.dll
; likely in an attempt to avoid API hooking on ntdll.dll
from the %WINDOWS%\System32\
directory. This of course is significantly dependant on how various security solutions may implement their user-mode hooking techniques.
Next, CipherIT hollows the process jsc.exe
that was created previously, injects Redline Stealer, then calls ntdll.NtResumeThread
to resume the hollowed process; which is now Redline Stealer.
We wrote a tool to extract payloads from CipherIT, which is provided below.
|
|
Figure 2. AutoIt Loader Static Unpacking Tool
Redline Stealer
Redline Stealer is an information stealing malware available for purchase on underground forums and sells standalone and as a subscription service. This section of the blog is a technical analysis of Redline Stealer and its capabilities.
Language Check
Once executed, Redline Stealer checks the country of origin against Armenia, Azerbaijan, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Tajikistan, Uzbekistan, Ukraine, and Russia. Next, if TimeZoneInfo.Local.Id
contains any of the hard-coded disallowed countries or CultureInfo.CurrentUICulture.EnglishName
is null
the program calls Environment.Exit
.
String Decryption
To decrypt strings, Redline Stealer calls StrinDecrypt.Read
, which base64-decodes the ciphertext, then performs a rotating XOR operation using the key user string (#US
) Kenners
(Figure 3).
|
|
Figure 3. Redline Stealer String Decryption Routine in Python
User Message
If the field Arguments.Message
is not an empty or a null
string, it is decrypted by calling StringDecrypt.Read
(Figure 3) and subsequently presented to the user in a message box. The execution of Redline Stealer is not halted during this process, as the message box is created using a new thread. This functionality in Redline Stealer allows operators to present messages to users, such as fake error messages and more.
C2 Communication
Redline Stealer uses SOAP messaging protocol to communicate with the C2 server. This section is a technical analysis of how Redline Stealer communicates with its C2 server.
Establish Connection
To establish a connection with the C2 server, Redline Stealer creates a new class object of ConnectionProvider
, which handles all C2 communication. Once created, Redline Stealer decrypts all C2 servers from Arguments.IP
with StringDecrypt.Read
(Figure 1). Next, Redline Stealer splits the result using the delimiter |
to create an array of C2 hosts. Once Redline Stealer has decrypted its array of C2 hosts, Redline Stealer connects to net.tcp://95.217.35[.]153:9678/
using SOAP protocol, the default for Windows Communication Foundation (WCF). Once the WCF ChannelFactory
object is created, Redline Stealer sets the field connector
as this object. Next, Redline Stealer sets the SOAP header name as Authorization
, with the namespace ns1
. If unable to connect to the first C2 address, in a loop, Redline Stealer sleeps by calling Thread.Sleep
for 5 seconds before attempting the next C2 address in the C2 hosts array. This means Redline Stealer can contain multiple C2 address, increasing the probability one of the C2 address will be operational.
Get Settings
Redline Stealer creates the data contract class SettingsStruct
, which contains data members. These data members are the settings Redline Stealer uses during its execution, which are obtained from the C2 server (Table 1).
Type | Name | Description |
---|---|---|
bool | Browsers | Enable Stealing Browser Data |
bool | FileSearch | Enable File Stealing Module |
bool | Filezilla | Enable Filezilla Module |
bool | Wallets | Enable Wallet Stealing Module |
bool | GetImageBase | Enable Collection of Image Base |
bool | ScanFiles | Enable Scanning Files |
bool | VPN | Enable Stealing VPN Credentials |
bool | StealSteam | Enable Stealing Steam Creds |
bool | Discord | Enable Discord Stealing Tokens |
List<string> | FileSearchPatterns | Patterns to Search for Files to Steal |
List<string> | ChromiumBrowserPaths | Paths for Chromium Browsers |
List<string> | MozillaBrowserPaths | Paths for Mozilla Browsers |
List<WalletFileConfigs> | AdditionalWallets | Additional Wallets to Steal |
Table 1. Redline Stealer Settings Data Contract Members
Result Data Contract
Redline Stealer stores results of data collected from the victim machine in a data contract, which is created with the data member ID
. The value of this data member is 100822
originating from Arguments.ID
, which is decrypted using StringDecrypt.Read
and ID
serves as the build ID.
Figure 4. Redline Stealer Build ID (reference)
Modules
Redline Stealer creates the class EntityResolver
, which is created from the template method ItemBase.Extract
. If Arguments.Version
is not equal to 1
, an instance of FullInfoSender
is returned, otherwise an instance of PartsSender
is returned. In this case, Arguments.Version
is set 1
, which returns an instance of PartsSender
.
Next, in a while loop, Redline Stealer executes the Invoker
method from the PartsSender
instance. Once executed, Redline Stealer initializes the data contract SystemInfo
, which will later be populated with data stolen from the infected machine. Next, if the directory %AppData%\Yandex\YaAddon
does not exist, Redline Stealer creates the directory. Otherwise, if the directory creation time is less than three months old, the directory is deleted and created again. Once completed, Redline Stealer executes modules in the module groups First
and Main
in random order (Table 2).
Module Group | Module Name | Description |
---|---|---|
First | GetUsername | Gets Username |
First | GetMonitorProperites | Gets Monitor Properties |
First | GetOS | Gets OS Name |
First | GetAssemblyLocation | Obtains Executing Assembly Location |
First | GetUUID | Created a UUID |
First | GetTimezone | Gets Timezone |
Main | GetHardwareInfo | Get Hardware Information |
Main | GetBrowsers | Steal Browser Data |
Main | GetListOfPrograms | Get List of Programs |
Main | GetAVs | Get List of Security Products |
Main | GetProcesses | Get List of Processes |
Main | GetLanguages | Get Languages |
Main | GetTelegramProfiles | Enumerate Telegram Profiles |
Main | MaybeMozillaStealer | Maybe Steal Data From Mozilla |
Main | GetFileSearch | Get File Search Results |
Main | StealWallets | Steal Crypto Wallets |
Main | StealDiscord | Steal Discord Tokens |
Main | GetGameLaunchers | Steal Game Launcher Data |
Main | GetVPN | Steal VPN Credentials |
Main | GetImageBase | Get Executing Assembly Image Base |
Table 2. Redline Stealer Module Groups
The modules in the group First
only collect data, which is later sent to the C2 server, whereas the modules in the group Main
send data within each module. This could mean the modules in the First
group are working on being ported to the Main
group.
GetAVs (defenders)
This module performs the WMI queries provided in Figure 5, against ROOT\\SecurityCenter
and ROOT\\SecurityCenter2
.
|
|
Figure 5. Redline Stealer WMI Queries
Once completed, the results are appended to a list, which is sent to the C2 server.
GetHardwareInfo (hardwares)
This module performs the WMI query SELECT * FROM Win32_Processor
, collecting the Name
and NumberOfCores
of the infected endpoint. Additionally, another WMI query is performed on root\\CIMV2
, with the query SELECT * FROM Win32_VideoController
, collecting the AdaperRAM
and Name
. The results from both of these queries are stored in a template list. Once completed, Redline Stealer appends another structure with the hard-coded key as Total of RAM
with the value 4095.46 MB or 4294397952
. Next, the data is sent to the C2 server.
ListOfPrograms (softwares)
This module opens the sub registry key HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall
. Next, the sub key names are iterated for their DisplayName
and associated DisplayVersion
. Once these values are obtained, they are added to a list of strings in the format described in Figure 6.
|
|
Figure 6. Redline Stealer Program List Module Structure
Next, the results are sent to the C2 server.
GetBrowsers
If the infected endpoint is 32-bit Redline Stealer opens the registry key SOFTWARE\\Clients\\StartMenuInternet
, otherwise it reads SOFTWARE\\WOW6432Node\\Clients\\StartMenuInternet
. Once opened, Redline Stealer iterates the sub key names, collecting the BrowserName
and the FileVersion
from shell\\open\\command
(default file association). If the FileVersion
cannot be obtained, Redline Stealer sets BrowserVersion
to Unknown Version
. Next, the resulting data contract structure is appended to the list template and sent to the C2 server.
ListProcesses (processes)
Redline Stealer performs the WMI query SELECT * FROM Win32_Processes Where SessionId='<current-processes-session-id>'
. Once completed, the results are parsed for ProcessId
, Name
, and CommandLine
. The structure of the data collected is provided in Figure 7.
|
|
Figure 7. Redline Stealer Process List Structure
Languages
To collect languages, Redline Stealer iterates InputLanguages.InstalledInputLanguages
, appending the language EnglishName
to a list of strings. Once the results have been collected, they are sent to the C2 server.
|
|
Figure 8. Redline Stealer Get Languages
GetTelegramProfiles
To scan for profiles, Redline Stealer calls the FileScanning.Search
method, which takes an array of scanners classes to process. In this case, the only scanner class that is passed is TelegramScanner
. Each scanner has two methods, Find
to locate interesting directories, and Collect
to obtain information.
To collect a list of Telegram profiles, Redline Stealer first checks if the process Telegram.exe
is currently running, if this is the case, Redline Stealer adds the directory where Telegram.exe
exists and the folder \tdata
, which contains Telegram session data to a list of the type ScannerArgsStruct
, which is a data contract consisting of the members Count
, Directory
, SearchPattern
, and Recursive
(Table 3.).
Type | Name | Description |
---|---|---|
string | Count | Number of Items Found |
string | Directory | Directory to Search |
string | SearchPattern | Search Pattern String |
bool | Recursive | Recursive Search or Not |
Table 3. Redline Stealer ScannerArgs Data Contract
Next, if Redline Stealer is unable to find a currently running process of Telegram.exe
, Redline Stealer will add the directory %AppData%\Telegram Desktop\tdata\
to the list of ScannerArgsStruct
data contracts.
Redline Stealer in this process considers any filenames with a length of 16 in the Telegram \tdata
folder a potential profile.
|
|
Figure 9. Redline Stealer Steal Telegram
StealWallets
To steal cryptocurrency wallets, Redline Stealer checks if the Wallets module is enabled. If enabled, Redline Stealer initializes the first wallet module, passing the BrowserPath
configuration from the C2, and initializes the crypto wallets in Figure 10, by splitting them by lines and into key value pairs using the delimiter |
.
|
|
Figure 10. Redline Stealer Wallets
The key is the path expected to match the wallet, and the value is the wallet name. Next, Redline Stealer iterates over the browser paths searching for Login Data, Web Data and Cookies. For each of the file paths matching these strings, Redline Stealer collects the valid paths for the crypto currency wallets (Figure 11).
|
|
Figure 11. Redline Stealer Crypto Wallet Paths
Next, Redline Stealer searches for the files wallet.dat
and wallet. These results are returned in a list of scanner results.
Once completed, Redline Stealer collects the files identified and sends them to the C2 server.
|
|
Figure 12. Redline Stealer Stealing Wallets
StealDiscord
To steal Discord tokens, Redline Stealer checks if the Discord module is enabled. If the module is enabled, Redline Stealer checks the directory %AppData%\\discord\\Local Storage\\leveldb
for the file extensions .log
and .ldb.
The files collected with these extensions are searched with the regex [A-Za-z\\d]{24}\\.[\\w-]{6}\\.[\\w-]{27}
. If a match is found, Redline Stealer adds the Discord token to a structure containing the tokens. Once completed, they are added to the SystemInfo structure, which is later sent to the C2 server.
|
|
Figure 13. Redline Stealer Stealing Discord Tokens.
StealSteam
To steal Steam credentials, Redline Stealer checks if the StealSteam
module is enabled. If enabled, Redline Stealer checks if the registry key HKCU:\Software\Valve\Steam
if the value SteamPath
is a directory. If the directory exists, Redline Stealer collects files matching the search pattern *ssfn*
and *.vdf
. The ssfn
(Steam Sentry Files) are used by Steam for authentication sessions and the .vdf
files are used to contain various types of game metadata. These files are later exfiltrated to the C2 server.
|
|
Figure 14. Redline Stealer Stealing Steam Sessions
StealVPN
To steal Nord VPN credentials, Redline Stealer searches the directory %USERPROFILE%\AppData\Local\NordVPN
with the search pattern NordVPN.exe*
. If Redline Stealer is able to identify a file named user.config, Redline Stealer extracts the username and password.
To steal OpenVPN credentials, Redline Stealer collects files the directory %USERPROFILE%\\AppData\\Roaming\\OpenVPN Connect\\profiles
using the search pattern *ovpn
.
To steal ProtonVPN credentials, Redline Stealer collects files the directory %USERPROFILE%\\AppData\\Local\ProtonVPN
using the search pattern *ovpn
.
|
|
Figure 15. Redline Stealer Stealing VPN Credentials
StealBrowsers
To steal browser credentials, Redline Stealer iterates over browser paths provided for both Chromium and Mozilla based browsers from the the configuration. To steal the data, Redline Stealer iterates over the directories Login Data
, Web Data
, Cookies
and Extension Cookies
. During this process Redline Stealer collects cookies, the browser name, the path to the User Data
directory, saved passwords, autofill data, and credit cards. Most of the data collected from the browsers is from the sqlite database and is easily decrypted.
|
|
Figure 16. Redline Stealer Stealing Browser Data
Remote Tasks
To execute remote tasks, Redline Stealer makes a request to the C2 server. Next, Redline Stealer is able to perform four types of remote tasks. These remote tasks include arbitrary command execution, downloading of files, downloading and execution of files and executing files (Table 4).
Task | Example | Description |
---|---|---|
Arbitrary Command Execution | whoami | Execute Command using cmd /C <command |
Download File | http://example.com/example.exe|%AppData%\\example.exe | Download a File |
Download and Execute | http://example.com/example.exe|%AppData%\\example.exe | Download and Execute a File |
Execute a File | C:\Users\example\example.exe | Execute a File |
Table 4. Redline Stealer Remote Tasks
Configuration Extraction
I have created a configuration extractor, which is available here.
|
|
Figure 17. Redline Stealer Configuration Extraction
Conclusion
At this point, I think we have successfully destroyed Redline Stealer.
Video Series
Downloads
Indicators of Compromise
Type | Indicator | Description |
---|---|---|
SHA256 | 532c47de5bdd433bea776290d27a741b09a1d5c5f2089e54eced922514a60799 | Redline Stealer Installer File |
SHA256 | 3e8d604a5d545189c35d810845b3e2208e3c56081507b949ecb17a6bbd4decb1 | Messed Up PE File (Che.mp3) |
SHA256 | ac5f7f01c7ca6663810df33bfa62012368b6c17b7520943c094308f30adac766 | BAT Script (Quella.mp3) |
SHA256 | 454b381e98f092cab4e82f21a790c5ccd4dbd006e44925bcabd6c9289ea6700e | AutoIT Script (Travolge.mp3) |
SHA256 | 3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0 | AutoIT Interpreter |
SHA256 | 454b381e98f092cab4e82f21a790c5ccd4dbd006e44925bcabd6c9289ea6700e | AutoIT Script |
SHA256 | 676ae4b1ef05ee0ec754a970cce61a5f8d3093989a58c33087a3a5dca06364aa | Redline Stealer (Unpacked) |
IPv4 | 95.217.35[.]153 | Redline Stealer C2 |
SHA256 | 2ccf3271c2e61033cddaf0af23854fc73cdaf7eab15745c419f269b8b24687c6 | Redline Stealer Deobfuscated |
SHA256 | 6cc516d93917545e60f938906bea4684860ec6db5e45480b1c81e2a2a42eb2e2 | AutoIt Script (Deobfuscated) |
SHA256 | 6914ed57497a934722dd948698e612eaf5727b631d2c6d24ff0ed76ec16cb5df | AutoIt Script Shellcode (x86) |
SHA256 | b73a01e19f8dbc51d8a42b26fd293eda31ab6efc13eb36cc78e3ff8ee5506146 | AutoIt Script Shellcodee (x64) |
Detection
This section contains signatures to detect Redline Stealer and its infection chain.
YARA
|
|
Suricata
|
|
Mitre Attack TTPs
ID | Tactic | Technique | Description |
---|---|---|---|
T1059.003 | Execution | Command and Scripting Interpreter: Windows Command Shell | Redline Stealer Remote Tasks from C2 Server |
T1204.002 | Execution | User Execution: Malicious File | Redline Stealer Remote Tasks from C2 Server |
T1055.012 | Defense Evasion | Process Injection: Process Hollowing | AutoIt Loader |
T1027 | Defense Evasion | Obfuscated Files or Information | Batch Loader, AutoIt Loader, Redline Stealer |
T1071.001 | Command and Control | Application Layer Protocol: Web Protocols | Redline Stealer uses SOAP over TCP or HTTP |
T1041 | Exfiltration | Exfiltration Over C2 Channel | Redline Stealer Exfiltration with SOAP Protocol over TCP or HTTP |
T1020 | Exfiltration | Automated Exfiltration | Redline Stealer Modules |
T1555 | Credential Access | Credentials from Password Stores | Redline Stealer Modules |
T1528 | Credential Access | Steal Application Access Token | Redline Stealer Modules |
T1586.001 | Resource Development | Compromise Accounts: Social Media Accounts | Redline Stealer Modules |
T1036.007 | Masquerading | Double File Extension | AutoIT Interpreter Mantenga.exe.pif |
T1539 | Credential Access | Steal Web Session Cookie | Redline Stealer Browser Modules |
New TTP Process Discovery T1057 New TTP System Network Configuration Discovery: Internet Connection Discovery T1016.001
References
Contributors
- dr4k0nia
- AnFam17
- whichbuffer
- shellsilky
- grayhatter
- t00big2fl4il