Origin: February 2020
Aliases: Win.redline_stealer, Redline
Targeted Sectors: IT, Financial
Targeted Regions: North America, Western Europe, and Eastern Europe
Motive: Data Theft
Common Infection Vectors: Phishing, Social Engineering
Developed by a programmer dubbed REDGlade, RedLine Stealer is one of the prominent and most widely used information-stealing malware today. According to a report from Insikt Group, it is one of the major and the largest providers of stolen credentials for two underground markets: Amigos Market and Russian Market. Its trade has been observed on underground marketplaces through a series of YouTube videos around the top global trends interest such as NFTs. The low-cost stealer malware was probably first advertised on cybercriminal forums in February 2020, as a Malware-as-a-Service (MaaS), but came to the notice of Proofpoint researchers only in March 2020. It not only steals passwords, credit card information, and other sensitive data but can also open the gateway for other ransomware, trojans, cryptocurrency miners, and RATs.
RedLine Stealer is known for trojanizing popular services such as Telegram (using social engineering tactics such as COVID-19 lures), Signal, and Discord (disguised as Windows 11 installers). It also leverages email phishing campaigns, Google Ads (for ranking malicious websites), and experiments with social engineering tactics aimed at NFT enthusiasts.
- During its first notable campaign in March 2020, a phishing email was trying to take advantage of the Coronavirus pandemic to spread the stealer primarily targeting healthcare and manufacturing industries in the U.S. Threat actors abused MSBuild to deploy RATs and information-stealing malware, including RedLine.
- In July, a malware campaign was detected using a malicious document used to deliver AutoIt scripts, which eventually infected users with CyberGate RAT and RedLine Stealer.
- In October, threat actors were observed abusing the paste.nrecom[.]net service to deliver several malware, including AgentTesla, LimeRAT, Ransomware, and RedLine Stealer.
- In June 2021, malicious pay-per-click ads were observed in Google’s search results, leading the victims to RedLine Infostealers.
- In July, a fake website was seen delivering Smoke Loader that subsequently downloaded the RedLine Stealer while masquerading as a ‘Privacy Tool.’
- In November, a cryptocurrency-related campaign was found abusing a legitimate Russian RAT tool called TeamViewer with SpyAgent that also downloaded the RedLine Stealer.
- Another campaign in the month was offering fake installers of popular software to bait users, infecting them with RedLine Stealer.
- End of December witnessed the stealer with stolen 441K accounts used against different online services, according to a data breach notification service Have I Been Pwned.
- In February 2022, cybercriminals were delivering RedLine Stealer disguised as the Windows 11 Upgrade installer to lure victims.
- In March 2022, Microsoft confirmed that a threat group known as LAPSUS$ was able to gain access to the source code of some of its internal projects, including Bing, Cortana, and Bing Maps, by deploying the RedLine Stealer.
- In the same month, Okta also declared that Lapsus$ group was able to compromise over 366 corporate customers by leveraging RedLine malware.
- In April, ZingoStealer malware was discovered with powerful data-stealing features, with the ability to load additional payloads including the RedLine Stealer.
- One more campaign founded in April used the RIG Exploit Kit (EK) to spread RedLine Stealer targeting by exploiting an Internet Explorer vulnerability.
- A new attack chain spotted in May abused Discord’s CDN to spread SYK Crypter, which eventually dropped the RedLine Stealer.
- A week later, a cybercriminal group was reported dropping the potent RedLine Stealer via fake Binance NFT mystery box bots.
Availability and Attack Profile
Looking at its business model, the threat group behind RedLine Stealer may have no other goal than generating revenue by offering the malware to more and more groups. The RedLine Stealer is available for sale on several dark web forums, in different packages. It was observed on the RedLine Telegram official channel with an offer of monthly ($100), weekly ($150), and lifetime subscriptions ($800). The price depends on the version of the stealer as well. Additionally, the buyer needs to make the payment in Ethereum, Bitcoin, XMR, USDT, or LTC. Owing to its low-cost factor, the malware could also be noticed in multiple smaller campaigns run by individual attackers. Since this is a commercially available malware, targeted industries and organizations are completely dependent on the person buying and using it. Commonly targeted sectors include healthcare and information technology, while the most targeted regions include North America, Western Europe, and Eastern Europe.
- In October 2021 attackers used social engineering and phishing emails to compromise YouTube creators with information-stealing malware including the RedLine Stealer.
- In January 2022, a new variant of the RedLine was distributed using emails with a fake COVID-19 Omicron stat counter app as bait, targeting victims across 12 countries, without focusing on any specific individual or organization.
- Zscaler reported a crypto scam in February that was using social engineering to deliver Dark Crystal RAT that led to RedLine Stealer infection.
- In March, a malware campaign was using the Valorant cheat as lures on YouTube to fool the players into downloading the RedLine Stealer.
Prevention and Mitigation
In a finding, a researcher reported vulnerabilities in RedLine Stealer malware, patching which can help stop the malware from infecting users’ devices. Furthermore, since phishing and social engineering are its primary methods of propagation, the initial line of defense is staying alert whenever receiving suspicious emails and downloading software from third-party sources. Organizations must protect sensitive information with adequate/ restricted access control to users, and ensure the use of robust encryption for protecting the information with efficient security infrastructure. More importantly, organizations must adopt modern threat alert sharing solutions to receive the latest threat updates including information on the latest malware indicators of compromise (IOCs). Leveraging such solutions will equip them with constant and reliable situational awareness against threats.
At present, RedLine Stealer is being actively used by several cybercriminals in their campaigns. The malware developers are making continuous efforts in updating its versions and modifying them as per different subscription-based models, making it affordable for threat groups of all sizes. This also makes RedLine a versatile threat.
Indicators of Compromise
RedLine Stealer initial sample
RedLine Stealer final stage
C2 - Redline Infostealer
ISO - Redline Infostealer ZIP Files