Executive Summary 

Redline Stealer, which is currently being distributed, has changed the C2 communication method and the way of delivering the collected information from the previous Redline Stealer, but the overall execution flow is the same. 

Redline Stealer has hard-coded encoded data such as C2 Server IP and Unique ID, and the XOR Key required to decode this data. When Redline is executed, the value is extracted first. After that, the information is collected and leaked by referring to the configuration data received from the C2 server, and the collected information is composed of Environment Details and Credential Details. The collected information includes system information, browser credentials, crypto wallet information, FTP information, Telegram and Discord information, etc.

After collecting and leaking information, Redline Stealer also has the ability to download executable files and perform additional malicious actions.

Introduction of Rediline Stealer

Since its release in February 2020, Redline Stealer has been delivered through various channels. Redline Stealer is mostly distributed through Phishing Emails or malicious software disguised as installation files such as Telegram, Discord, and cracked software. However, recently, Phishing Link that downloads Chrome Extension containing Redline Stealer by abusing YouTube Video Description and Google Ads is utilized, or Python Script that runs Redline Stealer through FTP is being distributed. 

According to BleepingComputer released in October 2020, Redline Stealer was distributed through malicious links posted on YouTube Video Description related to free downloading of specific utility. 

☑️ Click here to learn more