Author Image

Infosec Website | CTF Write Up

© 2019 - 2022 Nikj-Fr CC BY-SA 4.0
Built with Hugo ❤️ hyde-hyde.

Malware Analysis - RedLine Stealer

May 3, 2022
5 min read

Table of content

Introduction

Redline Stealer is distributed through Phishing Emails or malicious software disguised as installation files such as Discord or cracked software. Recently, Phishing Link that downloads Chrome Extension containing Redline Stealer by abusing YouTube Video Description (source).

The sample analyzed can be download here.
The MD5 is 0adb0e2ac8aa969fb088ee95c4a91536.

Unpacking

This sample is packed, we can see it by looking at the entropy of the binary.

entropy

Futhermore, we can look at the address of the entrypoint to know that the stub is located in the .text section.

stub_entrypoint

Let’s use UnpacMe (up to 10 subscriptions/months with free account) to unpack this malware easily.

unpacked

The malware is splitted into 3 stages. We’ll deeply analysis the last unpacked stage.

The SHA256 of the sample analyzed is e90f6d0a7b7d0f23d0b105003fce91959c2083c23394b5cf43101c84ae8be4d2.

Configuration

The malware encodes the communication with it’s C2 server with a unique key. The decryption function Decrypt() is working like:

  • Decode Base 64 strings provided in parameter
  • Xor the decoded string with the key
  • Decode the base 64 xored string to retrieve the final string

decrypt_string_method

The key Pythonic is hardcoded in the EntryPoint constructor class.

entrypoint_and_key_value

The following Python script allow the decryption of the RedLine Stealer configuration:

TODO

As a result, we have:

  • C2 = 46.8.19.196:53773
  • Release_Id = ytmaloy8

C2 Communication

The malware check if a connection flag is set. If not, it doesn’t perform any tasks but trying to connect to his C2.

check_if_flag_is_set

The malware enable the connection with his C2 using RequestConnection() method to http://" + C2 address + "/".

communication_main

Once the malware is connected, it try to get the arguments provided by the C2. The ScanningArgs structure is responsible for storing this configuration.

handle_args_in_main

All the arguments provided have a flag (boolean to TRUE or FALSE to enable a capability).

args_to_check

Data Collected

The ScanResult class store the collected information about the infected host. Each method in this class are obfuscated, some are written in russian.

all_collected_data

Here is a list of collected resources:

* Graphic Cards information 	(a03md9ajsd)
* All running processus			(ыал8р45)
* Installed browser				(asdk8jasd)
* Scan Chrome / Gecko			(вал93тфыв)
* Total RAM			 			(лыв7рыва2)
* Installed Software			(ылв92р34выа)
* Installed Firewalls			(аловй)
* Machine Name					(sdf934asd)
* Langage / TimeZone / Screen Resolution / OSVersion	(sdfi35sdf)
* Number of processor			(asdk9345asd)
* FTP Credentials				(навева)
* Crypto wallets keys			(ащы9р34)
* Discord 						(ыва83о4тфыв)
* Telegram						(ывал8н34)
* Steam Credentials				(askd435)
* VPN Credentials				(sdi845sa)
* Unique MD5 hash				(asdkadu8)
* File Path Execution			(sdfo8n234)
* File Exfiltration				(вашу0л34)
* Screenshots					(длвап9345)
* Available Langage				(ываш9р34)

Checks

Mutex

The malware use a mutex to know if the victim is already infected by the malware with Program.SeenBefore() method.

check_in_main

This function checks if the folder Yandex\YaAddon is present in C:\Users\<USER_NAME>\AppData\Local

mutex

Location

Inside ResultFactory.AKSFD8H23(), the malware get IP of the target and use GeoIP API to retrieve the location, Country of the victim. Next, it checks if the values returned from GeoIP are black listed (ScanningArgs.blockedCountry)

check_location

Here the malware gets the location, IP, and country and checks if it is located in the black list. If yes, malware does nothing and exit.

Browsers

The collected information about installed browsers is done in SystemInfoHelper.GetBrowsers().

browser_code

It collects the name of the browser, the full path and the version.

Next, it search for Chrome based browsers. This time, it will collect more information such as Logins, Cookies, Autofills data.

data_browser

The malware is doing the same for Gecko based browser.

FTP Credentials

The malware collect FTP credentials by searching in paths:

  • C:\Users\<USER_NAME>\AppData\Local\FileZilla\recentservers.xml
  • C:\Users\<USER_NAME>\AppData\Local\FileZilla\sitemanager.xml

filezilla_steal

If the files exists, it will extract account credentials such as:

  • Host
  • Port
  • User
  • Password

The extraction process is to look for each XML node if it match with Host, Port, User or Pass and fed it’s equivalent attribute with the value returned.

filezilla_scan_for_each_nodes

Crypto Wallets

Hot wallet purpose is to store the public and private key in your browser. To perform any transaction in the crypto space you need your private key. That’s why hackers try to steal it from you.

The BrowserExtensionRule class is searching for wallet extension like:

  • Metamask
  • Coinbase
  • BinanceChain
  • iWallet

crypto_wallet

Credit Cards

The CC class purpose is to steal credit cards information from the victim:

  • Owner Name
  • Expiration Month
  • Expiration Year
  • PIN Number

credit_cards

It is looking up in the LocalPrefs.json file of Chrome and Gecko browser, to find saved credit card information.

credit_cards_file

VPN Credentials

The malware tries to collect NordVPN, OpenVPN, ProtonVPN.
For OpenVPN, the class OpenVPNRule() search for XML file which contains the credentials. And so for ProtonVPN uses ProtonVPNRule() to search for protonVPN credentials.

vpn_rules

I’ll take the example of ProtonVPNRule (the purpose is the same for OpenVPN). The malware is looking for ProtonVPN folder in C:\Users\<USER_NAME>\AppData\Local. Inside the ProtonVPN folder it will search for the pattern "*ovpn" which is the file extension containing connection credentials.

protonvpn_steal

Remote Code Execution

The malware use command line with cmd /C <ACTION> to execute code remotely.

rce_cmd

It can drop malicious files with DownloadUpdate() method, and executes it with DownloadAndExecuteUpdate()

IoC

* C2 = 46[.]8[.]19[.]196[:]53773
* Release ID = ytmaloy8
* Xor Key = Pythonic
* Packed stage 1 sample MD5 = 0adb0e2ac8aa969fb088ee95c4a91536
* Packed stage 2 sample SHA256 = 97cdde692fadbb6d04dc59ba21e3f41b186810ee8962c6d3d2d33292ef4085d7
* Unpacked stage 3 SHA256 = e90f6d0a7b7d0f23d0b105003fce91959c2083c23394b5cf43101c84ae8be4d2
* Mutex = C:\Users\<USER_NAME>\AppData\Local\Yandex\YaAddon

References

Tutorial - Setup Remote Kernel Debugging