Deep Analysis of Redline Stealer: Leaked Credential with WCF
Date 2022. 03. 03
Redline Stealer, which is currently being distributed, has changed the C2 communication method and the way of delivering the collected information from the previous Redline Stealer, but the overall execution flow is the same.
Redline Stealer has hard-coded encoded data such as C2 Server IP and Unique ID, and the XOR Key required to decode this data. When Redline is executed, the value is extracted first. After that, the information is collected and leaked by referring to the configuration data received from the C2 server, and the collected information is composed ofEnvironment DetailsandCredential Details.The collected information includes system information, browser credentials, crypto wallet information, FTP information, Telegram and Discord information, etc.
After collecting and leaking information, Redline Stealer also has the ability to download executable files and perform additional malicious actions.
Introduction of Rediline Stealer
Since its release in February 2020, Redline Stealer has been delivered through various channels. Redline Stealer is mostly distributed through Phishing Emails or malicious software disguised as installation files such as Telegram, Discord, and cracked software. However, recently, Phishing Link that downloads Chrome Extension containing Redline Stealer by abusingYouTube Video Description and Google Adsis utilized, or Python Script that runs Redline Stealer through FTP is being distributed.
According to BleepingComputer released in October 2020, Redline Stealer was distributed through malicious links posted on YouTube Video Description related to free downloading of specific utility.