Investigation into RedLine Stealer
Disclaimer: This is my first try in writing a blog post. I am neither a native speaker in English nor do I know what I am doing here ^^
So please keep in mind while reading that feedback is very welcome! :)
As people who follow me on Twitter might have noticed, my investigation into RedLine Stealer malware is already going on for a while.
With this series of blog-posts I want to publish what I have done so far.
And the best way to start is probably to explain my motivation for this whole story. “I was attacked!”. It’s as simple as that. Here is how it happened:
One Friday evening, the 30th of July 2021 just to be precise, I received a message of a befriended account on Discord.
Surprised as to why a guy that I just had talked to briefly would write me out of nowhere, I took a look at it.
The message I received looked like this:
Of course we have all seen messages like that before in our lives.
“You will get something for free, there is just a short amount of time, click this totally innocent looking link, please!”
One doesn’t need to be a genius to figure out that this was a phishing attempt.
And indeed, opening the website I was greeted by the following message:
Ok, so someone want’s my steam login credentials in exchange for a supposed free Discord Nitro membership. Good thing I am neither interested in receiving Discord Nitro nor do I want to give away my Steam credentials ^^
So I reported the phishing URL to phishtank.org and Google Safe Browsing, the bit.ly URL to the bit.ly abuse form and that’s it. Nothing fancy here.
At the same time, I received a message on the discord server, from which I knew the person/account that shot me the phishing attempt and where he was a known individual in.
It was the server owner, warning people, that the account in question started to spam every channel with phishing attempts and that people should take care. Of course, the account in question was banned from the server for said actions.
This got me thinking. How was this guy compromised? Who hacked him? What was the story behind it?
Unexpectedly I got a possible answer the next day. Another message by the compromised account arrived in my inbox:
This message got me immediately alerted, as it was way different than the first one. No phishing attempt this time, but a password-protected .zip file which had been uploaded to the popular file sharing service mega.nz.
And as the “#” sign followed by the combination of letters and numbers showed me, it was actually not publicly available, but only reachable through this exact link. It just had to be malware.
So I copied the link into my VM, opened it and downloaded the .zip file.
And sure enough, after unpacking it, I was rewarded with a single windows PE32 executable.
Uploading the file to VirusTotal only yielded one AV Vendor flagging it as malicious. But that was enough for me to confirm my suspicions.
Link to the malicious executable:
https://www.virustotal.com/gui/file/98eb175288169d40f19714a6e82c7995fbab617bf35920d6d86ee8e2b456b374
To further investigate into the executable, I uploaded it to unpac.me.
For those of you who don’t know, unpac.me is an awesome service by OpenAnalysis, for unpacking obfuscated malware binaries. It will play a huge role in a later episode of this series of blog-posts.
And sure enough, the threat actor who tried to infect me, had used some methods to pack the malware before sending it to me. This also explains the low detection rate on VirusTotal by that time.
If you don’t know what packers, crypters and protectors are, here is a short article by the malwarebytes , explaining their use in a few sentences:
https://blog.malwarebytes.com/cybercrime/malware/2017/03/explained-packer-crypter-and-protector/
The result of unpac.me looked as followed:
Spoiler: The sample we are looking for is the one having the SHA-256 Hash:
0193e29baf9746fc70bb078b954de75153adb46cb93f9342f059bf8adab98040
Although AV-Products seem to be quite bad in naming malware by its name, and rather choose such helpful descriptions as “Gen:NN.ZemsilCO.34170.gm0@amf0o0f” or “BehavesLike.Win32.Generic.cm”, some vendors, like Microsoft for example, where actually able to point me to the right malware:
Microsoft: PWS:MSIL/RedLine.GG!MTB
Or in easier words, the Malware we are dealing with is the RedLine Passwordstealer.
As mentioned before, I believe this already gives us a good indication into why the threat actor had access to the discord account, which out of nowhere started to sent me these rouge messages.
One of the known capabilities of the RedLine stealer malware is stealing peoples discord tokens, which in turn enables an attacker to get full control over the compromised discord accounts.
So my theory is that the actor behind the RedLine campaign in question used RedLine to steal peoples credentials and then access the stolen Discord accounts to further expand his campaign and hack even more people.
After sending me the malware, the compromised account went on sending several more phishing links during the next days, all leading to scam pages that in turn would ask for Steam credentials.
Of course, I reported all of them to the services where I reported the first link too.
After 6 days, the Discord account went dark. I have so far never heard again of the person that was compromised or of the threat actor abusing his account.
Stay tuned for part 2, where I am going to do a technical breakdown on the inner workings of RedLine stealer and to try to uncover where my information would have went, if I would have executed the malware blindly.
IoC’s for part 1 of this series:
Phishing related:
- https://stearncommuty[.]com/tradeoffer/new/?partner=382196047&token=CvbFQ3-q
- https://discord-nitrogift[.]com/
- https://giftsdiscord[.]ru/giveaway/nitro
- https://nitro-gift[.]fun/
- https://mythicfights[.]xyz/reff/kGJe923fjF3
- https://steamcommunity[.]link/tradeoffer/new/?partner=315945146&token=9jYarSCs
- https://giveawayd[.]shop/giftdiscordnitro
- https://steamcomrninuty[.]ru/id/76561198380654671
- http://steamcomrninuty[.]ru/giveaway/nitro
- https://mythicfights[.]xyz/discord-gift
- https://giftsdiscord[.]com/airdrop/nitro
Images used to improve the phishing quality:
Malware related:
Sha-256:
- 98eb175288169d40f19714a6e82c7995fbab617bf35920d6d86ee8e2b456b374
- 0193e29baf9746fc70bb078b954de75153adb46cb93f9342f059bf8adab98040
- 9789a5b8a43253965cf343cb27a5ed89be6b1c2c33c80c44c3a08340395e17c1
- dcb842f5e0da9d486cad34d4b809dcaadf9ec4d6991fdb22bdc9aea66489ad1a
- 450ce2a8bdc9d30aed3cce8f7635ef066f609170a2e799a0cac1588111c013fb
Mega.nz-Link (already taken down!):
- https://mega[.]nz/file/dDJiyLyR#1c7ijOlbr65hdGSeEr12ehf4G2sqs29hlYlEeyCqFXM
