Free Phone Consultation For New Clients | CONTACT NOW

Technical Analysis of the RedLine Stealer

RedLine is an information stealer which operates on a MaaS (malware-as-a-service) model. This stealer is available on underground forums, priced according to users’ needs. The loader replaces the content of the Regsvcs.exe process, which is spawned in the suspended state. Following that, RedLine PE gets mapped in the Regsvcs process and thread contexts are manipulated to point to the entry point of the stealer, thus allowing the malware to masquerade as a legitimate process on the system.

VirusTotal [1] provides us with the following results:

The RedLineStealer downloader is an executable that does not use a typical Domain of Equivalence (DOE) [2], which can be used to detect a suspicious software. The payload in this case is obfuscated (Pack200):

The loader also employs anti-emulation/anti-debugging techniques, such as PUSHAD and PUSHF, to bypass static and dynamic analysis by static and dynamic analysis tools, respectively. The anti-emulation wrapper was developed by the attackers to prevent emulation of the loader, while anti-debugging techniques are used to limit the possibility of reverse engineering by debugging tools.

This malware can be distributed via multiple methods, echoing a delivery chain that could be used to find infected systems.

The most common distribution technique would be an email attachment containing the loaded PE file; however, it can also get pasted into the Windows clipboard or dropped to a predefined location on a USB drive, if the email server supports that type of attachment.

Source: Technical Analysis of the RedLine Stealer - AlienVault - Open Threat Exchange

Need secure managed IT for your business?