"Malware refers to malicious software that carries out harmful activity on a victim’s device, usually without their knowledge. Malware-powered crime can be as simple as stealing information or money from victims, but can also be much more complex and grand in scale. For instance, malware operators who have infected enough devices can use those devices as a botnet, having them work in concert to carry out distributed denial-of-service (DDOS) attacks, commit ad fraud, or send spam emails to spread the malware further."


"Using malware to steal or extort cryptocurrency is nothing new. In fact, nearly all ransomware strains are initially delivered to victims’ devices through malware, and many large-scale exchange hacks also involve malware. But these attacks take careful planning and skill to pull off, as they’re typically targeted against deep-pocketed, professional organizations and, if successful, require hackers to launder large sums of cryptocurrency."


"First observed in 2020 and advertised on various cybercriminal forums as a ‘Malware-as-a-Service’ (MaaS) threat, Redline is an information stealer mainly targeting Windows’ victim credentials and cryptocurrency wallets, as well as Browser information, FTP connections, game chat launchers, and OS information such as system hardware, processes names, time zone, IP, geolocation information, OS version, and default language." "Over the past year, Redline was added with additional features and is capable to load other malware software and run commands while periodically sending updates to its C2 of new information related to the infected host."


"RedLine Stealer is commonly distributed by phishing emails, as well as messaging on social media. The phishing email lures are often topical, concerning current events such as COVID-19 information." "[I]t continues to be the most prominent cyber threat impacting users worldwide in 2021. According to the AnyRun trend tracker, 1,473 samples were submitted onto the online sandbox in September 2021, an increase of 377 samples in contrast to August, with a total of 2,600 domains and 405 unique IP addresses."


"The vehicle used by criminals to disseminate the Redline stealer is the email. A malicious and convincing message is sent along with an URL responsible for downloading the binary file installed on the target machine. Healthcare (taking advantage of the COVID-19 situation) and manufacturing were two industry sectors affected by this threat in the last few months."


As of March 20th, 2020, "Cyber criminals have recently started a new spam email campaign to distribute RedLine Stealer. They send thousands of deceptive emails asking for help to perform medical research relating to the coronavirus."


"They ask users to install software that will supposedly use the recipient's computer to perform various calculations and, thus, help the researchers. The app they encourage users to install is called Folding@home."


"This application exists and is legitimate, however, this spam campaign is a deception - rather than installing the Folding@home application, criminals inject RedLine Stealer into the system. You can find more details in Lawrence Abram's article posted in Bleeping Computer."


As of Novemer 9th, 2021, "RedLine stealer poses as LastPass, a legitimate password manager. There is a fake LastPass download page used to distribute an ISO file containing a file that starts the infection chain leading to the injection of the RedLine stealer."


"The latest RedLine stealer version now has additional capabilities. It collects more general information (like Zip code, time zone, city, installed hardware), scans the system for running processes, installed browsers, FTP connections, and other data. Also, it checks for Discord, VPN, Steam, Telegram, and other clients, crypto wallets."


"This info stealer operates on a MaaS (malware-as-a-service) model and is distributed on underground forums according to the users’ needs; $150 lite version; $200 pro version; $100/month subscription option. In the Telegram channel, the malware can be acquired and paid in Bitcoin, Ethereum, XMR, LTC and USDT." "RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month)."


"This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer."


"The RedLine information-stealing malware targets popular web browsers such as Chrome, Edge, and Opera." "RedLine Stealer is capable of gathering information such as logins, passwords, autofill data, cookies and credit card details from all Gecko-based and Chromium-based web browsers. Cyber criminals can misuse this information to access various accounts (e.g., social media, email, banking-related accounts, cryptocurrency wallets)." "[A] new report by AhnLab ASEC warns that the convenience of using the auto-login feature on web browsers is becoming a substantial security problem affecting both organizations and individuals." "The malware targets the 'Login Data' file found on all Chromium-based web browsers and is an SQLite database where usernames and passwords are saved."


"While browser password stores are encrypted, such as those used by Chromium-based browsers, information-stealing malware can programatically decrypt the store as long as they are logged in as the same user. As RedLine runs as the user who was infected, it will be able to extract the passwords from their browser profile."


"Google Chrome encrypt the password with the help of CryptProtectData function, built into Windows. Now while this can be a very secure function using a triple-DES algorithm and creating user-specific keys to encrypt the data, it can still be decrypted as long as you are logged into the same account as the user who encrypted it," explains the author of the 'chrome_password_grabber' project."


"The CryptProtectData function has a twin, who does the opposite to it; CryptUnprotectData, which... well you guessed it, decrypts the data. And obviously this is going to be very useful in trying to decrypt the stored passwords."


"Even when users refuse to store their credentials on the browser, the password management system will still add an entry to indicate that the particular website is "blacklisted." While the threat actor may not have the passwords for this "blacklisted" account, it does tell them the account exists, allowing them to perform credential stuffing or social engineering/phishing attacks."


"They also misuse them to proliferate malware, spam campaigns, make fraudulent transactions and purchases, deceive other people into transferring money, steal identities, and so on. RedLine Stealer can collect data from various FTP (File Transfer Protocol) and IM (Instant Messaging) clients and grab files stored on the infected computers."


"Furthermore, it is capable of collecting system information such as IP addresses, usernames, keyboard layouts, UAC settings, installed security solutions, and other details. This malicious program can be used to infect computers with other malware (download and execute malicious files)."


"An example of how widely popular RedLine has become for hackers is the rise of the '2easy' dark web marketplace, where half of all the sold data sold was stolen using this malware." "After collecting the stolen credentials, threat actors either use them in further attacks or attempt to monetize them by selling them on dark web marketplaces."


"Software of this kind is designed to stealthily infiltrate the victim's computer and remain silent, and thus no particular symptoms are clearly visible on an infected machine."


"Typically, cyber criminals proliferate malicious programs through spam campaigns (emails), Trojans, dubious software download channels, unofficial activation tools and fake updaters. They attempt to proliferate malware by sending emails that contain malicious attachments (or web links that lead to download of malicious files)."


"Cyber criminals usually attach Microsoft Office, PDF documents, archive files (RAR, ZIP), executable files (.exe and others) and JavaScript files. If opened, the attached files install malicious software. Trojans often proliferate and install other malware and cause chain infections, however, they must first be installed."


"In an example presented by the analysts, a remote employee lost VPN account credentials to RedLine Stealer actors who used the information to hack the company's network three months later." "Even though the infected computer had an anti-malware solution installed, it failed to detect and remove RedLine Stealer."

Redline Stealer is malware which can commonly be included with any form of installation or downloads from malicious emails. Users are typially tricked into the download process. Once downloaded, the malware operates silently and is able to steal credentials throughout the PC, including saved browser passwords and information. More recent versions include the ability to steal private keys from any cryptocurrency wallets.


Always store funds offline if possible. Keep the majority of funds in an unused wallet which is stored offline in a hardware wallet or only on paper. Only withdraw the needed funds at the moment they are needed, and only in a fresh and secure environment. Set up two-factor authentication for any services which are used, and add additional factors wherever possible. Wallets can use multi-sig.


Check Our Framework For Safe Secure Exchange Platforms

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.