Skip Navigation
BlackBerry Blog

Threat Thursday: RedLine Infostealer Update

Summary

RedLine infostealer is a popular malware family distributed predominantly via phishing email campaigns. Our initial Threat Thursday blog for RedLine highlighted the dangers and capabilities of this threat. Recent analysis of the malware family has identified a significant update to its command-and-control (C2) communication mechanism.

Initially, RedLine infostealer implemented SOAP (Simple Object Access Protocol) over HTTP, but we have discovered that more recent samples implement SOAP data over Net.TCP Port Sharing Protocol instead. This update makes it more difficult to identify and understand communication data being exchanged between a victim and the malware’s C2 servers.

Operating System

Risk & Impact

Technical Analysis

In the wild since 2020, RedLine has become a more prevalent threat since April 2021. Though the core mechanisms of RedLine are largely the same, the difference between previous RedLine samples and the current versions are primarily related to changes in its transport mechanism.

RedLine’s recent switch from HTTP to Net.TCP C2 communication was likely made to thwart initial packet analysis and inspection of the malware’s C2 interactions, by both human and automated network packet-filtering systems. By using Net.TCP, the threat makes its traffic more difficult to identify as malicious, so that it can carry out its activities more effectively.

When analyzing Simple Object Access Protocol (SOAP) over HTTP, data data is formatted in a way that makes it more human-readable, as shown in Figure 1. Because newly observed samples of RedLine no longer use HTTP, the data structures appear significantly different.

Figure 1: Differences between previous and current RedLine samples

Connecting to C2 Server with Net.TCP

The Net.TCP protocol is based on MC-NMF (.NET Messsage Framing) Protocol. NMF is a mechanism for framing messages, specifically SOAP messages like those used in RedLine. MC-NMF is a highly flexible protocol that is ideal for bidirectional messaging. This can be abused by RedLine to both send and receive communications from a victim device.

Specifications for the protocol are available on the Microsoft web site. Based on the information in the specification sheet, the initial packet (Figure 2) is interpreted as shown in the next table below.

Figure 2: Initial request

Once dynamically executing on a victim’s device, RedLine will make an initial request to its malicious infrastructure. As the malware uses MC-NMF, the packets it sends to the C2 are structured as follows:

Index

Byte Data

 

0x0

0x00

This is a Version Record format

0x1

0x01

Major Version

0x2

0x00

Minor Version

0x3

0x01

This is a Mode Record format

0x4

0x02

Duplex mode

0x5

0x02

This is a Via Record format

0x6

0x1D

URI length

0x7 – 0x23

0x6E – 0x2F

URI (net[.]tcp://45[.]132[.]104[.]3:52352/)

0x24

0x03

This is a Known Encoding Record format

0x25

0x08

Use Binary Dictionary as specified in MC-NBFSE


If the C2 server accepts the request, it responds in the form of an acknowledgement (Ack) packet. In MC-NMF, this done via a Preamble Ack Record.

A Preamble Ack Record is a Property Record that is sent to indicate receipt of the Preamble End Record. This indicates that all messages have been successfully sent.

The packet just contains [0xb], which is a Preamble Ack Record, as shown in Figure 3. By receiving this data, RedLine is ready to send/receive binary-translated SOAP data.

Figure 3: Preamble Ack Record

C2 Communication with Binary-Translated SOAP

In addition to using MC-NMF, RedLine also uses a wide-range of other Net.TCP protocols to carry out its malicious communications.

Protocol Name

Descripption

MC-NBFSE

.NET Binary Format: SOAP Extension

MC-NBFS

.NET Binary Format: SOAP Data Structure

MC-NBFX

.NET Binary Format: XML Data Structure


By using these protocols, RedLine can efficiently encode common strings for the SOAP protocol data. The malware can also eliminate duplicate strings using such protocols. This reduces the size of its packets when communicating between C2 server and victim, which minimizes the footprint of the malware.

Once a session is established, we can analyze the communication between C2 server and victim. In the following sections, we show C2 communication for initialization with binary-translated SOAP data. This table contains the SOAP request and response, as well as its related functionality.

SOAP Request

SOAP Response

Functionality

CreateSequence

CreateSequenceResponse

Create session

CheckConnect

CheckConnectResponse

Start C2 communication with session

EnvironmentSettings

EnvironmentSettingsResponse

Select scanning targets

Init

InitResponse

Send basic information on victim environment


CreateSequence

After RedLine has established a Net.TCP session, it sends binary data translated from SOAP data as shown in Figure 4.

Figure 4: Binary-translated SOAP request

Based on MC-NBFSE, MC-NBFS, MC-NBFX and MC-NMF specifications, the binary can be translated to SOAP data.

In this case, its C2 server address is net[.]tcp://45[.]132[.]104[.]3[:]52352

Following on from that, we can further analyze the SOAP data. Figure 5 goes into more detail of this for the “CreateSequence".

Figure 5: Translating CreateSequence

  • The very first byte of data is [0x06]. It means this packet format is “Sized Envelope Record,” according to MC-NMF.
  • The next data [0x77] is total data size.
  • The following data is the payload of Sized Envelope Record, according to MC-NMF. The format is based on MC-NBFSE because RedLine specified it when the net.TCP connection was established.
  • Then it shows the total string size [0x1e] for user registered strings, based on MC-NBFSE.
  • The next data is the first registered string data size [0x1d] and the following data is the registered string itself, which is the C2 server address, in this case.

The data that follows is SOAP data, as shown below.  

Figure 6: Create sequence (SOAP)

To create a connection between the victim and the C2 server, a handshake must be completed before malicious activities can proceed, similar to a traditional HTTP handshake. This is initiated with the creation of a “CreateSequence” request.

“CreateSequence” makes an ID to maintain the following C2 communication. The request contains two important parameters.

  • There is a C2 server address in “<a:To>” tag (net[.]tcp://45[.]132[.]104[.]3:52352/).
  • The value of “<Identifier>” tag is used by an Ack message such as “SequenceAcknowledgement.” We will refer the value as “session identifier” in this report.

The response data is also binary. The binary format and SOAP format are shown in Figure 7.  The response contains an important parameter.

The “Main Identifier” related to the value of the “<Identifier>” tag is an important parameter, and RedLine uses it for the ensuing C2 communication. For clarity, we will refer to the value as “main identifier” in this report.

Figure 7: Create sequence response (binary and SOAP)

CheckConnect

CheckConnect confirms that both sides have a valid session. Figure 8 shows “CheckConnect” request. It contains two important parameters.

  • The “main identifer” value in the “<r:Reason>” tag and the “<r:Sequence>” tag.
  • The value of “<r:MessageNumber>” tag. It increments the value if it sends a request with “main identifier” value.

Once the request is accepted, RedLine receives “CheckConnectResponse” response as shown in Figure 9.

Figure 8: Check connection request (binary and SOAP)

Figure 9: Check connect response (binary and SOAP)

RedLine sends a “SequenceAcknowledgement” request to the C2 server when it receives response data like “CheckConnectResponse.” This notifies the C2 server that the previous communication succeeded. As shown in Figure 10, it contains “Session Identifier.”

In addition, there is an “<r:AcknowledgementRange>” tag, and its “Upper” attribute is incremented when it sends a “SequenceAcknowledgement” request to the C2 server.

If the parameter’s integrity is broken, the ensuing communication will fail.

Figure 10: Sequence acknowledgement (binary and SOAP)

EnvironmentSettings

After “CheckConnect,” an “EnvironmentSettings” request is sent to the C2 server. Once received, the malware will send an “EnvironmentSettingsResponse” containing core information for infostealer functionality.

BlockedCountry

RedLine has notable functions named “BlockedCountry” and “BlockedIP” tags, which contain country names and IP addresses. During analysis, the sample avoids infecting machines in the following Eastern European nations:

RU

Russia

 AZ

Azerbaijan

UA

Ukraine

 MD

Moldova

BY

Belarus

 UZ

Uzbekistan

KZ

Kazakhstan

 TM

Turkmenistan

TJ

Tajikistan

 AM

Armenia

KG

Kyrgyzstan

 

 


The response also has a target list which contains information that RedLine collects. The malware gathers information from web browsers, file transfer protocol (FTP) clients, instant messengers (IM), cryptocurrency wallets, VPN services, and gaming clients.

RedLine searches for the following Chrome browser directories, which contain login credentials, browser cookies, auto-fill information, and credit card details.

%USERPROFILE%\AppData\Local\Battle.net

%USERPROFILE%\AppData\Local\Chromium\UserData

%USERPROFILE%\AppData\Local\Google\Chrome\User Data

%USERPROFILE%\AppData\Local\Google(x86)\Chrome\User Data

%USERPROFILE%\AppData\Roaming\Opera Software\

%USERPROFILE%\AppData\Local\MapleStudio\ChromePlus

%USERPROFILE%\AppData\Local\Iridium\User Data

%USERPROFILE%\AppData\Local\7Star\7Star\User Data

%USERPROFILE%\AppData\Local\CentBrowser\User Data

%USERPROFILE%\AppData\Local\Chedot\User Data

%USERPROFILE%\AppData\Local\Vivaldi\User Data

%USERPROFILE%\AppData\Local\Kometa\User Data

%USERPROFILE%\AppData\Local\Elements Browser\User Data

%USERPROFILE%\AppData\Local\Epic Privacy Browser\User Data

%USERPROFILE%\AppData\Local\uCozMedia\Uran\User Data

%USERPROFILE%\AppData\Local\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer

 

This threat also looks for this same information in the following Gecko browser directories.

%USERPROFILE%\AppData\Roaming\Mozilla\Firefox

%USERPROFILE%\AppData\Roaming\Waterfox

%USERPROFILE%\AppData\Roaming\K-Meleon

%USERPROFILE%\AppData\Roaming\Thunderbird

%USERPROFILE%\AppData\Roaming\Comodo\IceDragon

%USERPROFILE%\AppData\Roaming\8pecxstudios\Cyberfox

%USERPROFILE%\AppData\Roaming\NETGATE technologies\Blackhaw

%USERPROFILE%\AppData\Roaming\Moonchild Productions\PaleMoon

 

It also searches for the presence of Discord, FTP clients, and files related to cryptowallets.

%userprofile%\Desktop|*.txt,*.doc,*key*,*wallet*,*seed*|0

%userprofile%\Documents|*.txt,*.doc,*key*,*wallet*,*seed*|0

 

Init

The “Init” request contains basic information on victim environments, such as:

  • IP address
  • OS version
  • Machine name
  • Screen resolution

As shown in Figure 11, the value of “ReleaseID” comes from embedded encrypted strings, as shown in Figure 12. 

Figure 11: Init (SOAP)

Figure 12: Embedded Encrypted Strings

What Happens After Initialization

After “InitResponse,” RedLine sends information containing details from the victim environment to the C2 server.

In our previous RedLine blog, we described what information the malware collects. There are slight differences in this newer version. Table 2 contains details of the following updated C2 communication.

New SOAP Request

New SOAP Response

Functionality

PartSteamFiles

PartSteamFilesResponse

Same as previous version

PartBrowsers

PartBrowsersResponse

Same as previous version

PartLanguages

PartLanguagesResponse

Send language setting

PartDiscord

PartDiscordResponse

Same as previous version

PartProcesses

PartProcessesResponse

Send running process name, command line and process ID

PartDefenders

PartDefendersResponse

Send antivirus product, anti-spyware product and firewall product

PartInstalledSoftwares

PartInstalledSoftwaresResponse

Send installed software Information

PartNordVPN

PartNordVPNResponse

Same as previous version

PartOpenVPN

PartOpenVPNResponse

Same as previous version

PartProtonVPN

PartProtonVPNResponse

Same as previous version

InitDisplay

InitDisplayResponse

Send screenshot of victim environment

PartFtpConnections

PartFtpConnectionsResponse

Same as previous version. There is no function for WinSCP.

PartHardwares

PartHardwaresResponse

Send CPU, graphic card and RAM information.

PartColdWallets

PartColdWalletsResponse

Same as previous version

PartInstalledBrowsers

PartInstalledBrowsersResponse

Same as previous version

Confirm

ConfirmResponse

It does not contain interesting information

Getupdates

GetupdatesResponse

The response contains URLs for additional payloads

VerifyUpdate

VerifyUpdateResponse

The base structure is like Getupdates. It adds "updateId" tag.

LastMessage

End of communication

 

Additional Payloads from RedLine C2 Server 

BlackBerry has monitored RedLine C2 activity continuously, and we have observed the malware aiding other malware families once it’s installed on a compromised victim’s device.

With a strong focus on cryptocurrency coin miners, a lot of RedLine’s IOCs are strongly linked to and used by other malware and malware families such as:

  • XMRig
  • EthMiner
  • Amadey
  • DCRAT
  • BitRAT
  • Clipper
  • Fabookie
  • Remcos
  • Async_RAT

Conclusions

The popularity of RedLine continues to grow, and the malware is clearly still in development. Though the malicious capabilities have remained the same, the malware no longer uses SOAP over HTTP and instead uses binary-translated to SOAP over Net.TCP protocol.

This evolution makes the data exchanged between the malicious C2 traffic and the victim more difficult to analyze and detect, as the data is no longer human-readable.

YARA Rule

The following YARA rule was authored by the BlackBerry Research & Intelligence Team to catch the threat described in this document:

rule Mal_InfoStealer_Win32_Redline_Stealer_Update_Unobfuscated_2021
{
    meta:
        description = "Redline Stealer which uses MC-NBFSE, MC-NBFS, MC-NBFX and MC-NMF"
        author = "BlackBerry Threat Research Team"
        license = "This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team"
        date = "2021-10"
    strings:
        $str1 = "NetTcpBinding"
        $str2 = "CheckConnect"
        $str3 = "EnvironmentSettings"
        $str4 = "Init"
        $str5 = "GetUpdates"
        $str6 = "IRemoteEndpoint"
        $str7 = "TaskID"
        $str8 = "ReleaseID"
        $str9 = "ScanDetails"
        $str10 = "InstalledBrowsers"
        $str11 = "FtpConnections"
        $str12 = "ScanBrowsers"
        $str13 = "ScanFiles"
        $str14 = "ScanFTP"
        $str15 = "ScanWallets"
        $str16 = "ScanScreen"
        $str17 = "ScanTelegram"
        $str18 = "ScanVPN"
        $str19 = "ScanSteam"
        $str20 = "ScanDiscord"
        $str21 = "ScanFilesPaths"
        $str22 = "BlockedCountry"
        $str23 = "BlockedIP"
    condition:
        uint16(0) == 0x5a4d and
        all of ($str*)
}

 

Indicators of Compromise (IoCs)

RedLine Infostealer (SHA256) Examples:

  • 770e6bbe4c4f4e7abfbb4a533d28f8e44c5a374aa05dc3c333d7f15594e217e7
  • 5bb7ab8d474109d82d8dfa3aae223df280517fe425a54d33d16ef5d00d49fcc1
  • 6455dd7f5e772aaf3e1ebb9ff72fff2269f42748d08c9f0671e63511dcfefd63
  •  
  • e7d036c77c92bcc5773be4c2f4b4476282f36c0c05f45ab5b3bf2d275270cf06
  • 98df2ce04f9b2324616e132fdf489b40d2b6c9f370fd27249bce6f83c734bcc5
  • dc540ee7a17ec9ffdad1cb751684bdc1511779d98385a21d8b9942b492d9c033
  • 3d43207b1a548897c03fecb53ee1f988ff3f8ddc19418eb13eae6c7eba1957cf
  • 89af061e5a63e1a88157f49908904141bc996a38be297435f8cc8de878c3b20c
  • 35c5fd5a98bfd695a904fe9291191f458967c5a1c41163b3c935ccc1d6890594
  • f09bd7803716e46a000b14a9ed21108a6d7c332df032116d52a609431d9d047b
  • d7af5b4a275066da1736f42a0ee09d5d02e3153f9ca0d961aab714f8d419e751
  • 6efdc5392d11ee5f4de7c1702faf89a0de891437a0ccee1f048d05ed3cc1d880
  • 6eb2e477f6322bfb86ba48bff79a85256f594e1d4c567fc1186fa3f23311bbce
  • c92add5e2e6de78a16e7109d63c4518728e3c6daf9f03a42f8537ccc56a0a25a
  • 5940f101c2313af56b4a56a059c9bc99db6384c9d5b2c78d214dcbb4925da303
  • edb8c977167a1103f09ea2eafada3f63d464fd45f8ee9c0b72d51167a349a819
  • fb4635255bf95d89171eee78444e9527edc460e77ab364e83c6f3144a6a6fe65

C2 Server’s IP / Port

  • 104[.]168[.]102[.]108:61986
  • 109[.]248[.]11[.]240:17523
  • 135[.]125[.]40[.]64:15456
  • 135[.]181[.]171[.]9:45918
  • 138[.]124[.]186[.]121:45760
  • 45[.]132[.]104[.]3:52352
  • 45[.]133[.]217[.]148:65255
  • 45[.]137[.]190[.]170:19896
  • 45[.]140[.]146[.]78:6991
  • 45[.]147[.]197[.]123:31820
  • 45[.]156[.]24[.]97:43059
  • 45[.]66[.]9[.]155:41093
  • 45[.]67[.]228[.]152:54641
  • 45[.]87[.]3[.]177:61799
  • 77[.]232[.]38[.]156:35454
  • 77[.]232[.]43[.]79:57581
  • 79[.]141[.]165[.]41:80
  • 80[.]66[.]87[.]32:26062
  • 80[.]85[.]137[.]105:12734
  • 80[.]87[.]192[.]249:16640
  • 84[.]38[.]185[.]103:39821
  • 86[.]105[.]252[.]21:34503
  • 87[.]251[.]71[.]64:80
  • 93[.]189[.]43[.]32:31858
  • 94[.]103[.]81[.]47:41701
  • 95[.]181[.]155[.]242:14148
  • 95[.]181[.]163[.]37:27338
  • 95[.]216[.]43[.]58:40566
  • 95[.]217[.]77[.]23:53845

URLs for Additional Payload

  • hxxps://bitbucket[.]org/ribkadori/main/downloads/Explorer[.]exe
  • hxxps://bitbucket[.]org/ribkadori/main/downloads/Microsoft[.]exe
  • hxxps://siasky[.]net/_ARvTG0s2dXuHsh1hgD7tC4obsCy6AhzXWbzo4hQ6YYJ9g
  • hxxps://cdn[.]discordapp[.]com/attachments/884849322649337868/885902898255523910/SystemAudio[.]exe
  • hxxps://cdn[.]discordapp[.]com/attachments/883772525920784447/883775415821422622/Vitysha[.]exe
  • hxxps://iplogger[.]org/1GxAb7
  • hxxp://www[.]w3[.]org/2005/08/addressing/soap/fault
  • hxxps://cryptorelated[.]net/CurrencyCalculatorInstaller[.]exe
  • hxxps://a[.]goatgamei[.]com/userdow/2201/any[.]exe
  • hxxps://iplogger[.]org/1IAiS
  • hxxps://installcb[.]online/40[.]exe
  • hxxps://bitbucket[.]org/Olegiyartsev/build/downloads/WindowsServer[.]exe
  • hxxps://iplogger[.]org/1heUe7
  • hxxps://km[.]popmonster[.]ru/1056935770[.]exe
  • hxxp://sherence[.]ru/WindowsFormsApp2[.]exe
  • hxxp://sherence[.]ru/Obfuscation_Build[.]exe
  • hxxps://drive[.]google[.]com/uc?export=download&id=1yAYLxBjRuQ6JvTqNhzAaD9f7CEUdvM4t
  • hxxps://cdn[.]discordapp[.]com/attachments/890960532625051658/891052472230105118/msetup[.]exe
  • hxxps://ve0[.]popmonster[.]ru/863387648[.]exe
  • hxxps://ksbyz[.]jelikob[.]ru/1441447287[.]exe
  • hxxps://6b4s[.]popmonster[.]ru/1937106983[.]exe
  • hxxps://xre[.]popmonster[.]ru/2143165147[.]exe
  • hxxp://f0571088[.]xsph[.]ru/5[.]exe
  •  hxxps://installcb[.]online/7l[.]exe
  • hxxps://moneybac[.]ru/wlbdugfllvovexjx/calcbtc[.]exe
  • hxxps://cdn[.]discordapp[.]com/attachments/881102543541907476/892025514598998016/TastyMiner[.]exe
  • hxxps://cdn[.]discordapp[.]com/attachments/881102543541907476/885908445490991134/Bandicam[.]exe
  • hxxp://f0581959[.]xsph[.]ru/sss[.]exe
  • hxxps://cli-4576347563476534786[.]s3[.]us-east-2[.]amazonaws[.]com/crypted[.]exe
  • hxxp://a0574980[.]xsph[.]ru/fix[.]exe
  • hxxps://cdn[.]discordapp[.]com/attachments/889569369078779975/890225777457631272/ConHosts[.]exe
  • hxxps://iplogger[.]org/1yFqa7
  • hxxps://cdn[.]discordapp[.]com/attachments/863775676167487490/886320916345290812/aday[.]exe
  • hxxps://cdn[.]discordapp[.]com/attachments/863775676167487490/888027209263091712/Zena[.]exe
  • hxxps://iplogger[.]org/1fq4s7
  • hxxp://212[.]109[.]199[.]108//build3[.]exe
  • hxxp://sherence[.]ru/Stub[.]exe
  • hxxp://sherence[.]ru/qYnjfKljhYhAhBx[.]exe
  • hxxps://xre[.]popmonster[.]ru/703306277[.]exe
  • hxxps://b[.]popmonster[.]ru/187547149[.]exe
  • hxxps://9356[.]popmonster[.]ru/1483777859[.]exe
  • hxxp://a0581414[.]xsph[.]ru/fix[.]exe
  • hxxp://kamikirim[.]my[.]id/Explorer[.]exe
  • hxxps://kdr[.]zarkada[.]ru/507913557[.]exe
  • hxxp://filemix-2[.]ru/file/b4bd9c[.]exe
  • hxxps://sourceforge[.]net/projects/yupo/files/speedtube[.]exe
  • hxxps://9356[.]popmonster[.]ru/807073056[.]exe
  • hxxp://45[.]9[.]20[.]101/c[.]bin
  • hxxp://45[.]9[.]20[.]101/m[.]bin
  • hxxps://cdn[.]discordapp[.]com/attachments/543727270557384729/887705790717239327/1337[.]exe
  • hxxp://f0579340[.]xsph[.]ru/dlllhost[.]exe
  • hxxp://f0579340[.]xsph[.]ru/update[.]exe
  • hxxp://f0575427[.]xsph[.]ru/ash[.]exe
  • hxxps://cdn[.]discordapp[.]com/attachments/888787895530438699/890550987666894848/rcn[.]exe

 

BlackBerry Assistance

If you’re battling this malware or a similar threat, you’ve come to the right place, regardless of your existing BlackBerry relationship.

The BlackBerry Incident Response team is made up of world-class consultants dedicated to handling response and containment services for a wide range of incidents, including ransomware and Advanced Persistent Threat (APT) cases.

We have a global consulting team standing by to assist you, providing around-the-clock support, where required, as well as local assistance. Please contact us here:  https://www.blackberry.com/us/en/forms/cylance/handraiser/emergency-incident-response-containment


Want to learn more about cyber threat hunting? Check out the BlackBerry Research & Intelligence Team’s new book, Finding Beacons in the Dark: A Guide to Cyber Threat Intelligence - now available for pre-order here.

The BlackBerry Research & Intelligence Team

About The BlackBerry Research & Intelligence Team

The BlackBerry Research & Intelligence team examines emerging and persistent threats, providing intelligence analysis for the benefit of defenders and the organizations they serve.