BlackBerry Prevents: RedLine Infostealer Update

RESEARCH & INTELLIGENCE / 10.22.21 / The BlackBerry Research and Intelligence Team

RedLine is a popular infostealer malware family distributed predominantly via phishing email campaigns. Our initial Threat Thursday blog for RedLine highlighted the dangers and capabilities of this threat. Recent analysis of this malware family has identified a significant update to its command-and-control (C2) communication mechanism.

Initially, RedLine implemented Simple Object Access Protocol (SOAP) over HTTP, but we have discovered that more recent samples of RedLine implement SOAP data over Net.TCP Port Sharing Protocol instead. This update makes it more difficult to identify and understand communication data being exchanged between a victim and the malware’s C2 servers.

To see how BlackBerry prevents RedLine attacks from occurring, check out the following video.

DEMO VIDEO: BlackBerry vs. RedLine Infostealer Update

Learn more about RedLine in our new deep dive blog, Threat Thursday: RedLine Infostealer Update.

BlackBerry Cyber Suite and BlackBerry Guard stop these attacks. 

BlackBerry customers can feel confident that our AI-driven BlackBerry® Cyber Suite, as well as our Managed Detection & Response (MDR) solution BlackBerry® Guard, and our Zero Trust Network Access solution BlackBerry® Gateway, are all well-equipped to mitigate the risks posed by threat actors such as those behind RedLine infostealer: 

BlackBerry® Protect provides automated malware prevention, application and script control, memory protection, and device policy enforcement. 
BlackBerry® Optics extends the threat prevention by using artificial intelligence (AI) to prevent security incidents. It provides true AI incident prevention, root cause analysis, smart threat hunting, and automated detection and response capabilities.  
BlackBerry® Gateway provides Zero Trust network access to reduce risk by protecting traffic through the perimeter and performing encrypted packet analysis. BlackBerry Gateway creates a network that is identity-aware per user, with continuous authorization to thwart zero-day attacks.
The BlackBerry® Mobile Threat Defense (MTD) solution prevents and detects advanced malicious threats at the device and application levels. It combines the mobile endpoint management capabilities of BlackBerry® Unified Endpoint Manager (UEM) with advanced AI-driven threat protection, to get in front of malicious cyberattacks in a Zero Trust environment. 
BlackBerry® Persona creates trust based on behavior analytics, app usage, and network and process invocation patterns. It uses adaptive risk scoring to provide continuous authentication. 
BlackBerry Guard customers are proactively protected from RedLine infostealer attacks. Our 24/7 MDR solution customers receive:
- Alerts monitored in real-time  
- Corrective policies applied while discovering gaps in policy implementation
- Prioritized threat hunting  
- The latest threat intelligence for fast-moving threats

Prevention First 

At BlackBerry, we take a prevention-first and AI-driven approach to cybersecurity. Putting prevention first neutralizes malware before the exploitation stage of the kill-chain. 

By stopping malware at this stage, BlackBerry® solutions help organizations increase their resilience. It also helps to reduce infrastructure complexity and streamline security management, ensuring your business, people and endpoints are secure.

BlackBerry Assistance 

The BlackBerry Incident Response team can work with organizations of any size and across any vertical, to evaluate and enhance their endpoint security posture and proactively maintain the security, integrity, and resilience of their network infrastructure. 

For emergency assistance, please email us at DLIR@blackberry.com, or use our handraiser form. 

Video Transcription

"In this video, we will analyze a recent update of the RedLine infostealer, a popular malware family distributed predominantly via phishing campaigns with an extensive list of capabilities. It has also been linked to other malware families.

The most recent version of this malware uses Net.TCP protocol instead of the traditional TCP stack to fly under the radar for Network Security controls in terms of command-and-control (C2) communication.

This machine is in audit-only mode so we can execute the sample. As you can see, it's a fairly quick and quiet compromise, but if we take a look at the root-cause analysis on BlackBerry Optics we can better understand what's going on.

Instead of just focusing on reactive post-execution investigations, let's see how the BlackBerry Temporal Predictive Advantage can protect your assets from this threat - six years before the malware was created!

As we can see, our Cylance® AI models are able to predict and prevent not only the sample of RedLine analyzed on our Threat Thursday blog, but also 15 other variants from this RedLine update.

Prevention is possible, with Blackberry.”

About The BlackBerry Research and Intelligence Team

The BlackBerry Research and Intelligence team is a highly experienced threat research group specializing in a wide range of cybersecurity disciplines, conducting continuous threat hunting to provide comprehensive insights into emerging threats. We analyze and address various attack vectors, leveraging our deep expertise in the cyberthreat landscape to develop proactive strategies that safeguard against adversaries.

Whether it's identifying new vulnerabilities or staying ahead of sophisticated attack tactics, we are dedicated to securing your digital assets with cutting-edge research and innovative solutions.

Back