Credential Stealer RedLine Reemerges

 We at K7 Labs noticed that there were several RedLine Stealersresurfacing. Hence, we decided to analyze one such sample from ourincident queue.


The sample we studied for the sake of this blog was  an NSIS compiled binary with the NSIS script and the malicious binary in its overlay.

Upon execution it drops 2 executables in the ‘AppData\Roaming’ folder.

  1. @deadma3ay_crypted.exe 
  2. 1079929187.exe
It then runs “@deadma3ay_crypted.exe” in background and injects the malicious code into a suspended instance of the ClickOnce .Net utility named AppLaunch.exe and then proceeds to connect with the C2 server. The process tree showing AppLaunch.exe was started in suspended state as shown below.
Figure 1: Process tree
Figure 2: @deadma3ay_crypted.exe creates a process which is in suspended state
Figure 3 :AppLaunch,exe created and is in suspended state

Highlighted above is the call to the API CreateProcessW with the “dwCreationFlags” set to 0x00000004 meaning it would start the process with the attributes “CREATE_SUSPENDED” 

The binary“@deadma3ay_crypted.exe”was custom packed, we then went on to dump the file after unpacking to find where the injection was being done.
Figure 4: Stealer dumped in memory

“@deadma3ay_crypted.exe”uses process hollowingto inject the RedLine Stealer into the benign AppLaunch.exe process.
Figure 5: Version info of the RedLine Stealer sample

RedLine Stealer Analysis

This binary contains an encoded string which upon decoding gives an IP address.  To obtain the original IP the malware does the following: Base64 -> XOR key(Bahs) -> Base64.  The decoding using XOR key, IP address are all  shown in Figure 6. The IP belongs to that of the C2 server.
Figure 6: C2 server IP address decode

.

Within the malware there is code present that terminates its process based on its geolocation and the code for the same is available in Figure 7.
Figure 7: Validating the geolocation

The IP mentioned earlier is decoded as below and the malware keeps running the below loop until the connection to the C2 server is established. In this binary we found just one IP, but the code in Figure 8 suggests that there can be an array of IPs as well.
Figure 8: Establishing connection to C2

Using this IP, a secure connection is established between the victim and the C2 server. Below is the code for the same.
Figure 9: Code to request connection to the C2 

The malware contains a huge list of base64 encoded wallet addresses. Below are the code snippets that refer to the encoded data and the actual data after decoding. The malware would supposedly use these in a clip & switchscenario at the victim’s end.
Figure 10: Encoded wallet addresses
Figure 11: Decoded wallet address list

The malware also scrapes information from various browser data. Below are screen captures of code that steals information from Opera and Mozilla.
Figure 12: Stealingbrowser information from Opera
Figure 13: Getting Mozilla info

It then proceeds to collect users’ cookies and data from the browser’s locally saved data.

The malware also tries to steal information from Telegram’s saved data. The code for the same is shown in Figure 14.
Figure 14: Getting Telegram data

It also touches the Discord data as shown in Figure 15.
Figure 15: Getting Discord info 

It then gets the Discord token using the regex given below

“ [A – Z a – z \ d] {2  4} \ . [ \ w – ] { 6 } \ . [ \ w – ] { 2  7}”

and  stores the value in a .txt file.
Figure 16: Data stored in .txt file

In the text shown in Figure 16 if you remove/cut the substring “Replace” we get the string Tokens.txt, which is the file name in which the malware stores the Discord data.
Figure 17: Parsing FileZilla info xml

There was also code to extract information from FileZilla’s saved information in an xml file.
Figure 18: Getting AV and VPN product username and password; products like NordVPN, and OpenVPN

It also searches for the firewall, AntiVirus, antispyware products’ info also about any installed VPN software’s information.
  Figure 19: Getting info on security product 

Once the stealer has gathered all the information required, it then proceeds to save those information across several randomly named variables. Shown in Figure 20 are the list of variables.
Figure 20: Getting unique string

Out of these the variable “kadsoji83” is used to hold the unique identifier value of the infected victim’s machine. The malware gathers various system info(Figure 21) and converts it into an MD5 and assigns the resultant value to the earlier mentioned variable. 
Figure 21: Converting the info into MD5 

We at K7 Labs provide detection against the latest threats and also for this newer variant of RedLine Stealer. Users are advised to use a reliable security product such as K7 Total Securityand keep it up-to-date so as to safeguard their devices.

Indicators of Compromise (IOC)

HashNameK7 Detection Name
3A00D25C7E4B9FA8C2BE12E4328C869FRobloxFruits.exeTrojan ( 005850dc1 )
F3F316DB086068FBB16DF5B11827CF47@deadma3ay_crypted.exeTrojan ( 005917021 )
215935B2D09B884E4CFDDA76586712501079929187.exeTrojan ( 0058f06c1 )

C2

185.200.191[.]18:80

Like what you're reading? Subscribe to our top stories.

If you want to subscribe to our monthly newsletter, please submit the form below.

Comments

Post a Comment

Popular posts from this blog

AMOS (MacOS Stealer)

  In the last week of April 2023, it was reported on twitter , that through a telegram channel a new malware was being offered as “Atomic MacOS Stealer”. Many samples of this malware were found on the internet. Figure 1 – Atomic MacOS Stealer Most of these samples were masquerading as an installer of various applications like Tor browser, Photoshop CC, Notion, FL studio. Figure 2 – Amos DMGfiles masquerading as different applications These are delivered as a DMGfile(Disk Image) which is the common format for software distribution & installation packages on macOS. We identified the Tor browser DMG file for the analysis. When we execute the DMG file it gets mounted and we can see the resulting window advises the user to execute the application by right clicking. Figure 3 – Tor Browser These fake applications are created by using Appify , which is used to create applications just by having the executable alone. The icons can be customised. That’s why these applications are in dif...
Read more

Ransomed by Warlock Dark Army “OFFICIALS”

  Recently we came across a tweet shared by petikvx . The tweet was on a ransomware family that had the group name similar to the WARLOCK DARK ARMY. The similarities with Chaos ransomware seem to end with the attacker group’s name. Upon analyzing the ransomware from the tweet we suspect both to be very different groups just based on their malware’s attributes. The sample under consideration was compiled using C/C++, in case of Chaos ransomware it is usually .Net. Statically looking at the file we noticed a resource entry under Bitmap with an identifier “14”, while analyzing the file code we noticed that this resource was read and loaded on to the memory. Hence we decided to dump that resource entry. Figure 1: Encrypted blob in resource section Figure 2 : Loading blob into the memory During our code analysis we found this blob was XOR encrypted. The first 16 bytes of this blob acts as the key for XOR decryption and the rest is the data which plays a key role in this ransomware’s in...
Read more

MuddyWater Back with DarkBit

  Recently, we came across a tweet about DarkBit ransomware. An Iranian APT group, named MuddyWater, is reportedly behind the DarkBit ransomware. In this blog we will explore the ransomware’s initial access method, the use of Cobalt Strike and the final ransomware payload. Initial Access Method The initial lure was delivered as an ISO file. Figure 1 – ISOFile The payload included a shortcut file (with a .doc extension) and a zip file. Figure 2 – Contents Inside ISO File The shortcut was using PrintBrm.exe to unpack the HR-Update.zip and run it as shown below. PrintBrm.exe is a windows inbuilt command line tool . Figure 3 – Shortcut File cmd.exe /c xcopy .\HR-Update.zip %TEMP% /h /y && PrintBrm.exe -r -f %TEMP%\HR-Update.zip -d %TEMP%\unzip & %TEMP%\unzip\HR-Update.exe Figure 4 – HR-Update.exe Running HR-Update.exe was a Cobalt Strike beacon. Cobalt Strike, a penetration testing tool, can also be used by attackers for gaining a foothold in the system. The final ran...
Read more