Behaviour Analysis of Redline Stealer

Infostealers occupy a special place among malware, since, with their simplicity, they very effectively cope with their primary tasks: to collect all potentially valuable information in the system, exfiltrate it to the command-and-control server, and then delete themselves and traces of their activities. They are used by both beginners and advanced threat actors, and there are many proposals on hacker forums for every taste, depending on the wallet and needs. Redline Stealer is a relative newcomer to this category, it sells at a high price for infostealer, its authors promise to support the malware and issue regular updates, and so far they have kept their promises.

Redline Stealer was first detected in early March, its analysis revealed that malware authors had created Mystery Stealer in the past and created a new strain based on its code. However, the authors of Mystery did not live up to the trust of their past users, we hope that in this part the story will repeat itself. Redline Stealer is not distinguished by sophistication, the malware does not have any exclusive functionality, its authors did not spend much time obfuscating the code, and nevertheless, it is a rather dangerous tool in the hands of even a novice hacker. Fresh versions of this malware can be little more than common infostealer whose “life” is extremely short: Redline Stealer has the capability of executing commands, downloading files, and periodically sending information about the infected system.

Community Sigma rule by Emir Erdogan enables the detection of Redline Stealer according to its behavior and helps to find infected systems: https://tdm.socprime.com/tdm/info/H7bRC2qQFC6S/1YiQcnQBPeJ4_8xcWcxd/?p=1

 

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, LogPoint, Humio

EDR: Carbon Black, Elastic Endpoint

 

MITRE ATT&CK: 

Tactics: Credential Access

Techniques: Credential Dumping (T1003), Credentials in Files (T1081)


Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.