Infostealers and the hackers who use them evolve to stay ahead of security measures. They adapt quickly to exploit new vulnerabilities and techniques, making it challenging for defenders to keep up. 

Today(7 Nov 2023), researchers from Any Run saw again its activity that steals data, causes financial loss, and targets both enterprise and personal devices.

EHA

ANY.RUN is an interactive malware sandbox that allows users to analyze an unlimited number of malicious files and links for free.

The rapid evolution of info stealers enables threat actors to target various illicit purposes, from stealing personal information to financial fraud and espionage.

RedLine Stealer is a versatile malware that causes financial loss and data leaks. It targets the healthcare and manufacturing sectors, emerged in March 2020, gained momentum during COVID-19, and still thrives. 

On July 1st, 2021, it was discovered on a deceptive website offering privacy tools, but it only delivered malware.

RedLine Malware

RedLine infostealer swipes user info, including passwords, credit cards, and hardware details. It behaves like Raccoon or Pony, enabling file transfers and executing commands; besides this, threat actors deploy it for:-

  • Ransomware
  • RATs
  • Trojans
  • Miners

RedLine Stealer, easily accessible on underground forums, comes in service and subscription models, priced from $100 to $200.

While not as sophisticated as ransomware, it’s a high-quality .Net malware written by an experienced programmer. Threat actors continuously update it with secondary payloads and advanced filtering.

Execution Process

The stealer’s execution process is usually straightforward, where the main binary takes over, sometimes replacing the parent process or being dropped by another binary.

RedLine starts gathering private information from the infected system when a child process spawns and delivers it to the Command & Control panel.

After gathering and transmitting data, the stealer terminates, and then the stolen info is sent in both the following formats:-

  • Non-encrypted 
  • Base64 encoded

Distribution

Attackers lack creativity in the virus delivery, but their tried-and-true methods, like social engineering in email campaigns, fake updates, and spam, are effective. 

Apart from this, they use various file formats, and here below we have mentioned them:-

  • Office
  • PDF
  • RAR and ZIP
  • Executable files
  • JavaScript

Protecting against RedLine involves vigilance with email attachments and links. Even trusted sources can lead to infection and credential theft.

You can expand your SIEM and other security systems by integrating IOCs directly from ANY.RUN sandbox.

Implementing ANY.RUN’s Threat Intelligence products are simple. Contact the company’s sales team to learn more.

IOCs

IP Addresses:

  • 77.91.68.6A8
  • 155.94.208.76
  • 80.76.51.172
  • 194.49.94.11
  • 185.157.120.4
  • 193.161.193.99
  • 149.202.0.242
  • 5.42.65.101
  • 65.108.69.168
  • 185.215.113.44
  • 94.142.138.4
  • 95.217.14.200
  • 91.103.252.3
  • 147.185.221.180
  • 45.137.22.168
  • 185.222.58.55
  • 185.222.58.238
  • 45.9.20.20
  • 45.150.67.103
  • 217.114.43.193

Hashes:

  • E201E3F7868A2EC461500A812C9A8F3A5F33903E532D3EE379504C6F9A529362
  • 5BC50A23F7FDF3D6D192E5608744F508EA629D1073A28168FEE2E120EA97FBEA
  • 4CDF57094405BC954210BE5C2FEF7C288DA7B9CE7E18B718692E2F49D53291A0
  • DAD3101A9C6306078E8A9533F8FDA092CE4F03DFA873D9B68D67D765DD675E8E
  • D7C5D3CDF0663F63B779AB907A97DF4453A40D35584A13EFBEF77AA4BDB7A1CE
  • 55908054B66A55A322DC132E7B534E816E4139A9C55C9166638AE391B22BD159
  • C290D6DD7997EB32A79CBBCD943C125C0680D5FCA875BE97EFA10071D2AA4916
  • 7561B59E927A93903BB251AE960AD3F92308CA52CC6F085B4268669E84895749
  • C66CA23727683C7F50DE1A826B74603CB54F537191B859C30A1BA19C8AF55E69
  • 5D50A1577EE0791E7ABA6BF8E679B4795D533A3DAA54177CE8A0EC25CC8D3DF2
  • 048321F1318126902A16B2355AD1DE6106FF8E12B0693C004B9B32C5EDE37727
  • D1F956F356ECC94FB6128C489A768830BE48BC7BB163EF7C541369573034DD35
  • C911AC775E74A5D1C218E24CF546A07FCB2E7494AF88F0F7DB723DFABC72D4ED
  • 58CD452EB7E74F0B1AB92544652D5FCD22714438CD0A785F0D747CCF82BD5F98
  • 9ABD0F1BF4E90840B378B72CAE05E7C799A77E92089DA0A1054118F5B6CE9260
  • 15A03ADBC83FE2754E472E8727DEEC51BA44956D9735D68F09341B90519FC51A
  • 68FDADD207C7C2BF63C80DF344230C5DDB732A36009E5A6129D1B0A0A17DB8A1
  • 0B854A34DE71903E3153EFA7516EDA91F3EA16529D839643FD250C81DB78CD34
  • D5B59CA310CB8CF2C43F565D8D74B4484D2A04957258469B4D67ACF3CA045D72
  • DCECE61AED7806CF8292BAABB6FDA7C0BEDCA94B3626F4323B32D5574E11E792

Domains:

  • 4.tcp.eu.ngrok.io
  • 2.tcp.eu.ngrok.io
  • 7.tcp.eu.ngrok.io
  • 6.tcp.eu.ngrok.io
  • 0.tcp.eu.ngrok.io
  • 5.tcp.eu.ngrok.io
  • mydesignht.onthewifi.com
  • 6.tcp.ngrok.io
  • 4.tcp.ngrok.io
  • popshues.top
  • afgantrophy.top
  • vikaneleneer.shop
  • isahelyria.site
  • mcth.xyz
  • copy-marco.gl.at.ply.gg
  • siyatermi.duckdns.org
  • raizen.serveftp.com
  • gbsbreakes.com
  • 0.tcp.in.ngrok.io
  • jul-nelson.gl.at.ply.gg

URLs:

  • http://194.49.94.11/
  • http://45.137.22.168:55615/
  • http://185.222.58.55:55615/
Balaji N
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.