Background
Last month HP published research on RedLine Stealer, a stealer malware being delivered via fake Windows 11 updates. Almost a month later, RedLine Stealer continues to be active in the wild, with new samples surfacing over the past week.
What is RedLine Stealer?
RedLine Stealer is a stealer malware advertised on underground forums. It harvests various types of information including saved credentials, autocomplete data, cryptocurrency, and credit card information. It also takes a system inventory of the victim’s machine, gathering information on the username, location data, hardware configuration, and installed security software. RedLine Stealer can also upload and download files, execute commands, and send information about the infected computer to the C2. RedLine Stealer uses the WCF (Windows Communication Foundation) framework for C2 communication.
According to researchers at S2W, RedLine Stealer was released in 2020 and was originally distributed via malicious links on a YouTube description, masquerading as a free download. RedLine is currently offered as malware-as-a-service (MaaS), with pricing ranging between $100 - $200 USD per month. It was last updated as recently as January 2022.
The threat actors operating RedLine Stealer leverage three Telegram channels for conducting business: an official chat, the official RedLine page, and a Buy RedLine bot. Additionally, stolen logs obtained via RedLine Stealer are sold on an underground forum.
IOCs
PolySwarm has multiple samples associated with RedLine Stealer. A selection of sample hashes is found below.
Hashes
4293d3f57543a41005be740db7c957d03af1a35c51515585773cedee03708e54
7d5ed583d7efe318fdb397efc51fd0ca7c05fc2e297977efc190a5820b3ee316
C7bcdc6aecd2f7922140af840ac9695b1d1a04124f1b3ab1450062169edd8e48
6b089a4f4fde031164f3467541e0183be91eee21478d1dfe4e95c4a0bb6a6578
cd3f0808ae7fc8aa5554192ed5b0894779bf88a9c56a7c317ddc6a4d7c249e0e
38a5b96fd07f03041f6eff913b85fc621fa314e1de87326accb00ee218c37756
020fbe48b4da34a90d3422f211aa0338681a7cb9e99292b2b9d738a354ed97de
C6d48514031cc6e83445b95f9ed4e975f2cdcebc2e9cc1914605058ff7af7764
9ac01cc861cfe9e340c66a5cd527ab8a7e3de345b851ebcf07a7ca08eeee2f88
You can use the following CLI command to search for all RedLine Stealer samples in our portal:
$ polyswarm link list -f RedlineStealer
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports