Redline stealer malware: Full analysis

Redline malware was first observed in March 2020, but it continues to be the most prominent cyber threat impacting users worldwide in 2021. According to the AnyRun trend tracker, 1,473 samples were submitted onto the online sandbox in September 2021, an increase of 377 samples in contrast to August, with a total of 2,600 domains and 405 unique IP addresses. 

Figure 1: Total of samples Redline malware in September 2021 (source).

Redline is a piece of malware that has been updated during the last few months, with features for credentials exfiltration and cryptocurrency wallets, browser information and FTP authentication data. It also collects information about the infected machine, such as OS information, system hardware, processes, system language and more. Capabilities to load remote payloads and a SOAP protocol for C2 communication were also implemented — a clear sign this malicious piece should be put under the cyber radar.

Modus Operandi of Redline malware

This info stealer operates on a MaaS (malware-as-a-service) model and is distributed on underground forums according to the users’ needs; $150 lite version; $200 pro version; $100/month subscription option. In the Telegram channel, the malware can be acquired and paid in Bitcoin, Ethereum, XMR, LTC and USDT.

Read More: