BLUF: Redline Stealer - 24 Dec 21
Summary of Observable Actions
- Collects browser cookies
- Collects cryptocurrency wallets
- Collects auto-filled values from installed browsers
- Collects Discord database, log files, tokens
- Collects Telegram Desktop data
- Collects Filezilla info and credentials
- Collects Steam info
- Collects NordVPN credentials
- Collects OpenVPN info
- Collects ProtonVPN info
- Captures screen
- Enumerates system info
- Checks host public IP
- Connects to 65.21.85.32:39288 to receive new tasks
- Can download and execute new updates, malware, etc.
Program function contains connection routine that decrypts and connects to specified values in Arguments function. The Program function also allows for grabbing new tasks from the C2 to complete.
B64 → XOR → B64 → plain text value
In this manner, the C2 address, IP, and message displayed to the user executing the malware can be read.
“@siril228” unencrypted value from ID argument in Arguments function. Quick glance at Google shows posts regarding a user by the same name in credential market forum lolz.guru. User also owns Telegram handle “@siril228”.
Executable was being advertised as Call of Duty: Warzone unlocker tool on YouTube and was hosted on file sharing site, Mega.
Targeted Cryptocurrency Wallets
- YoroiWallet
- Tronlink
- NiftyWallet
- Metamask
- MathWallet
- Coinbase
- BinanceChain
- BraveWallet
- GuardaWallet
- EqualWallet
- JaxxxLiberty
- BitAppWallet
- iWallet
- Wombat
- AtomicWallet
- MewCx
- GuildWallet
- SaturnWallet
- RoninWallet
- TerraStation
- HarmonyWallet
- Coin98Wallet
- TonCrystal
- KardiaChain
- Phantom
- Oxygen
- PaliWallet
- BoltX
- LiqualityWallet
- XdefiWallet
- NamiWallet
- MaiarDeFiWallet
- Authenticator
IOC
Redline C2:
- 65.21.85.32
Warzone Unlocker.rar (PW:1234)
Warzone Unlocker.exe
Chewiest.exe (Unpacked .NET executable)
Comments
Post a Comment