RedLine Stealer Malware 04 August 2022

172/2022
Critical
August 4, 2022
2:53 pm

RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware.

Redline Stealer is malware as a service credential stealer targeting windows operation systems, with the capability of stealing credentials from web browsers, files, and FTP applications. RedLine also collects extensive system survey information such as desktop screenshots, username, OS, installed software, process listing, and IP addresses.

The malware can download and launch additional payloads or remote command shells for the attacker to maintain access to their victims.

Redline Stealer has been advertised for sale on the dark web and underground forums.

Stealer Functionality:

Collects from browsers:
- Login and passwords.
- Cookies.
- Autocomplete fields.
- Credit cards.
Supported Browsers:
- All browsers based on Chromium (even the latest version of Chrome).
- All Gecko-based browsers (Mozilla, etc.).
Malware Capabilities:
- Download and execute files.
- Execute commands from the command line.
- Encrypts data with AES
- Capture cryptocurrency wallets
- Virtualization detection and evasion.
- Capture system information.

It should be highlighted that mentioned malware has dynamic IOCs that may be changed over time therefore immediate action must be taken.

Indicator of Compromise

Indicators of compromise will be shared with EG-FinCIRTs’ constituents.

Mitigations

Search for existing signs of the indicated IOCs in your environment.
If remote access is required, use a VPN with vendor best practices, multi-factor authentication, password audits, precise access control, and actively monitoring remote accesses.
Users logged into remote access services should have limited privileges for the rest of the corporate network.
Activate security configurations on network infrastructure devices such as firewalls and routers
Ensure anti-virus software and associated files are up to date.
Implement application whitelisting, which only allows systems to execute programs known and permitted by the organization’s security policy.
Backup your data using different backup destinations, including Tape drives.
Disable unused remote access ports and monitor remote access logs for unusual activity.
Install updates/patches on operating systems, software, and firmware as soon as updates/patches are released.
Deploy the latest versions of security solutions to all layers of the system, including email, endpoint, web, and network.
Disable browser ‘Save Password’ functionality.

References

Egyptian Financial Computing Incident Response Team (EG-FinCIRT)

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.