RedLine is the name of a relatively new piece of malware designed to steal data from PC users who happen to get infected with it. The malicious tool is a multi-faceted beast capable of extracting whatever files it comes across on the victims’ FTP servers, web browsers, instant messaging clients, and even cryptocurrency wallets. The RedLine Stealer is subject to active development, gaining new features now and then.
Table of Contents
A Two-Pronged Distribution Approach
Although security analysts have only recently seen the RedLine Stealer gaining traction on Russian underground hacking forums, that’s hardly where RedLine initially originated from. Instead, the first officially observed RedLine Stealer infections occurred via a spam email campaign. Encompassing thousands of emails, the campaign sought to infect recipients by making them click on an embedded URL that contained the RedLine payload. Each email reportedly came from a Shannon Wilson (<shannon(et)litegait(dot)com>) who claimed to be working for Mobility Research Inc, a company providing rehabilitation solutions for physically disabled patients. The email, whose subject usually went along the lines of "Please help us with Fighting corona-virus," urged recipients to help the company find a cure for Covid-19 by enrolling in the so-called Folding.@Thome program. For the record, Mobility Research does have a project known as Folding@home, which allows participants to donate computing power for disease research and computational drug design by downloading a particular app. </shannon(et)litegait(dot)com>
So, where’s the catch? The catch is in the extra point symbol and “T” letter only seen in the fake “Folding.@Thome” URL in the spam email. When clicking on that fake URL, you wouldn’t land anywhere near the official Mobility Research website. Instead, you’d go straight to the RedLine malware payload stored on BitBucket.
Here is a sample email used in the campaign that distributed the RedLine Stealer:
Image source: Proofpoint
Here is the exact text of the email:
Please help us with Fighting corona-virus
Shannon Wilson [Shannon(et)litegait(dot)com]
Greetings from Mobility Research Inc and Folding.@Thome As we all know, recently corona-virus is becoming a major threat to the human society. We are a leading institution working on the cure to solve this worldwide crisis. However, we need your help. With your contribution, you can speed up our process of finding the cure. The process is very simple, you will need to install an app on your computer, which will allow us to use it to run simulations of the cure. This is totally controllable by you and can be switched on/off when you are comfortable to. This will greatly help us and perhaps stop the corona-virus before it is too late.
Thank you, your Mobility Research Inc and Folding.@Thome
"Download now" Button
[End of Quote]
Like other spam emails, the one outlined above is written in a less-than-savvy and informal register, which questions the sender's authenticity even further.
Besides spam, RedLine Stealer appears to have gained notoriety on the dark web, as well. A party going by the name of RedGlade seems to be advertising RedLine for sale in Russian underground forums, offering as many as three pricing options, namely:
- Lite version ($150.00);
- Pro version ($200.00);
- Subscription-based service ($100.00 per month).
The seller has gone to great lengths to provide a detailed overview of what RedLine offers to those willing to purchase the tool. The malware supposedly harvests personal data from Google Chrome, Mozilla Firefox, Torch, Vivaldi, Opera, Yandex, all other Chromium-based web browsers, FTP and IM clients, credit card details, as well as extensive system information — IP, location, login credentials, OS, keyboard layout, directory names or file extensions. The RedLine Stealer can be set to only operate in certain countries while putting others on a blacklist. A feature added later on reportedly allowed RedLine to empty cryptocurrency wallets, too.
How RedLine Works
The RedLine Stealer corresponds with a remote command-and-control server via a dedicated WSDL application. Using that server, the hackers in charge can sift through searching logs, downloads, running tasks, and exporting the data they want.
After performing a thorough analysis of the RedLine Stealer, security researchers have confirmed that the tool’s wide-ranging capabilities are as real as they get. Combined with its relatively low asking price, RedLine's features turn this malware piece into a highly severe threat. Overall, the very fact that anyone willing to pay $150-$200 can get their hands on such a tool adds even more to the latter's potency.
In light of its frequent updates, one can assume RedLine's developers will continue expanding on the tool's functionality as new targets come along the way. In this respect, we would hardly be surprised to see RedLine bring secondary malware payloads in due course. Moreover, the threat may happily linger on for months on end, as long as its Covid-19 disguise does the trick. An increasing number of crooks are using the global coronavirus pandemic as a backdrop to their social-engineering scams, and the trend is unlikely to reverse any time soon.
To date, the RedLine Stealer is very likely to have spread across the globe since it is available to anyone willing to pay the price. That is why no users are exempt from a potential RedLine Stealer infection. To minimize your chances of you falling prey to a threat like the RedLine Stealer, make sure to download and install a genuine ant-virus software suite that will protect your system and your data. Also, do not forget to apply the pending updates to all your applications regularly.