RedLine Malware Steals Sensitive Data and Installs More Malware

Infostealers and the hackers who exhaust them evolve to build forward of security measures. They adapt instant to make potentially the most of contemporary vulnerabilities and ways, making it tough for defenders to build up up.

This day(7 Nov 2023), researchers from Any Bustle saw again its reveal that steals info, causes monetary loss, and targets each and each enterprise and deepest devices.

ANY.RUN is an interactive malware sandbox that permits customers to analyze a critical possibility of malicious recordsdata and links with out cost.

The immediate evolution of info stealers permits possibility actors to design varied illicit capabilities, from stealing deepest info to monetary fraud and espionage.

RedLine Stealer is a flexible malware that causes monetary loss and info leaks. It targets the healthcare and manufacturing sectors, emerged in March 2020, received momentum all the intention through COVID-19, and composed flourishes.

On July 1st, 2021, it was as soon as came upon on a faux websites offering privateness tools, however it handiest delivered malware.

RedLine Malware

RedLine infostealer swipes user info, at the side of passwords, bank cards, and hardware shrimp print. It behaves like Raccoon or Pony, enabling file transfers and executing instructions; besides this, possibility actors deploy it for:-

• Ransomware
• RATs
• Trojans
• Miners

RedLine Stealer, with out hassle accessible on underground forums, comes in carrier and subscription items, priced from $100 to $200.

While no longer as sophisticated as ransomware, it’s a high of the range .Win malware written by an experienced programmer. Risk actors continuously change it with secondary payloads and developed filtering.

Execution Job

The stealer’s execution process is customarily easy, the build the main binary takes over, customarily changing the father or mother process or being dropped by one other binary.

RedLine begins gathering non-public info from the infected gadget when rather one process spawns and delivers it to the Tell & Back watch over panel.

After gathering and transmitting info, the stealer terminates, and then the stolen info is despatched in each and each the following codecs:-

• Non-encrypted
• Base64 encoded

Distribution

Attackers lack creativity in the virus offer, however their tried-and-merely strategies, like social engineering in electronic mail campaigns, untrue updates, and divulge mail, are effective.

As an alternative of this, they exhaust varied file codecs, and right here below now we admire mentioned them:-

• Office
• PDF
• RAR and ZIP
• Executable recordsdata
• JavaScript

Preserving in opposition to RedLine involves vigilance with electronic mail attachments and links. Even depended on sources can lead to infection and credential theft.

You may perchance prolong your SIEM and varied security systems by integrating IOCs straight from ANY.RUN sandbox.

Implementing ANY.RUN’s Risk Intelligence merchandise are easy. Contact the firm’s sales team of workers to learn more.

IOCs

IP Addresses:

• 77.91.68.6A8
• 155.94.208.76
• 80.76.51.172
• 194.49.94.11
• 185.157.120.4
• 193.161.193.99
• 149.202.0.242
• 5.42.65.101
• 65.108.69.168
• 185.215.113.44
• 94.142.138.4
• 95.217.14.200
• 91.103.252.3
• 147.185.221.180
• 45.137.22.168
• 185.222.58.55
• 185.222.58.238
• 45.9.20.20
• 45.150.67.103
• 217.114.43.193

Hashes:

• E201E3F7868A2EC461500A812C9A8F3A5F33903E532D3EE379504C6F9A529362
• 5BC50A23F7FDF3D6D192E5608744F508EA629D1073A28168FEE2E120EA97FBEA
• 4CDF57094405BC954210BE5C2FEF7C288DA7B9CE7E18B718692E2F49D53291A0
• DAD3101A9C6306078E8A9533F8FDA092CE4F03DFA873D9B68D67D765DD675E8E
• D7C5D3CDF0663F63B779AB907A97DF4453A40D35584A13EFBEF77AA4BDB7A1CE
• 55908054B66A55A322DC132E7B534E816E4139A9C55C9166638AE391B22BD159
• C290D6DD7997EB32A79CBBCD943C125C0680D5FCA875BE97EFA10071D2AA4916
• 7561B59E927A93903BB251AE960AD3F92308CA52CC6F085B4268669E84895749
• C66CA23727683C7F50DE1A826B74603CB54F537191B859C30A1BA19C8AF55E69
• 5D50A1577EE0791E7ABA6BF8E679B4795D533A3DAA54177CE8A0EC25CC8D3DF2
• 048321F1318126902A16B2355AD1DE6106FF8E12B0693C004B9B32C5EDE37727
• D1F956F356ECC94FB6128C489A768830BE48BC7BB163EF7C541369573034DD35
• C911AC775E74A5D1C218E24CF546A07FCB2E7494AF88F0F7DB723DFABC72D4ED
• 58CD452EB7E74F0B1AB92544652D5FCD22714438CD0A785F0D747CCF82BD5F98
• 9ABD0F1BF4E90840B378B72CAE05E7C799A77E92089DA0A1054118F5B6CE9260
• 15A03ADBC83FE2754E472E8727DEEC51BA44956D9735D68F09341B90519FC51A
• 68FDADD207C7C2BF63C80DF344230C5DDB732A36009E5A6129D1B0A0A17DB8A1
• 0B854A34DE71903E3153EFA7516EDA91F3EA16529D839643FD250C81DB78CD34
• D5B59CA310CB8CF2C43F565D8D74B4484D2A04957258469B4D67ACF3CA045D72
• DCECE61AED7806CF8292BAABB6FDA7C0BEDCA94B3626F4323B32D5574E11E792

Domains:

• 4.tcp.ecu.ngrok.io
• 2.tcp.ecu.ngrok.io
• 7.tcp.ecu.ngrok.io
• 6.tcp.ecu.ngrok.io
• 0.tcp.ecu.ngrok.io
• 5.tcp.ecu.ngrok.io
• mydesignht.onthewifi.com
• 6.tcp.ngrok.io
• 4.tcp.ngrok.io
• popshues.high
• afgantrophy.high
• vikaneleneer.store
• isahelyria.location
• mcth.xyz
• copy-marco.gl.at.ply.gg
• siyatermi.duckdns.org
• raizen.serveftp.com
• gbsbreakes.com
• 0.tcp.in.ngrok.io
• jul-nelson.gl.at.ply.gg

URLs:

• http://194.49.94.11/
• http://45.137.22.168:55615/
• http://185.222.58.55:55615/