These functions range greatly in both depth and complexity. The malware contains multiple functions that aid in the fingerprinting of a victim device. Once this is complete, the malware will begin by fingerprinting the victim’s device for the following characteristics: RedLine will check for Internet connectivity before reaching out to its malicious C2 infrastructure to obtain further settings. The malware utilizes SOAP messaging protocol for its C2 connections. Upon execution, the malware will initialize both the Command and Control (C2) server’s IP address, and the hardcoded ‘Build ID’ found within each sample. As this malware is being widely distributed by threat actors with different skills and goals, the complexity of this obfuscation can vary sample-to-sample:įigure 1: De-obfuscated. RedLine samples tend to be heavily obfuscated. At the time of writing in July 2021, this threat appears to be in active development, increasing its capabilities further. Throughout its development and lifecycle, RedLine has evolved to be more complex, and it has increased the list of data it can exfiltrate. Social engineering campaigns to attack digital artists using Non-Fungible Tokens.Being Trojanized as popular services ‘Telegram’ and ‘Signal’.Abusing Google Ads hosting Trojanized lure websites.In the last few months, RedLine has been noted being delivered by the following mechanisms: Due to this, there are a wide array of known infection vectors, malware campaigns and targets that have been hit by the RedLine malware family. It is then used in multiple smaller campaigns by the individual threat actors who have purchased the malware online. The RedLine malware family has been distributed and sold mostly via Russian underground malware forums. This threat has been sold as individual packages with several pricing options, or as Malware-as-a-Service (MaaS) on a subscription-based pricing package.Īs the malware is distributed, the threat group behind it does not have a singular goal or target other than generating revenue by selling the malware. It also has remote functionality to drop and execute further malware onto the victim machine. The malware gathers information from web-browsers, file transfer protocol (FTP) clients, Instant Messengers (IM), cryptocurrency wallets, VPN services, and gaming clients. In all cases it attempts to perform illicit exfiltration of victims’ data. Once connection to its command and control (C2) panel is established, RedLine malware has a wide range of applications and services. Many samples of RedLine also appear with legit-looking digital certificates. RedLine is extremely versatile and has appeared variously as Trojanized services, games, cracks, and tools. It has been active throughout 2020, and in 2021, it has additionally been delivered through malicious Google advertisements and spearphishing campaigns against 3D or digital artists using non-fungible tokens (NFTs), which are digital tokens tied to assets that can be bought, sold and traded. RedLine is a new infostealer malware family that is distributed via COVID-19 phishing email campaigns.
0 Comments
Leave a Reply. |