CREDENTIAL-STEALING MALWARE MIGHT BE KNOCKING AT YOUR DOOR
A Review of RedLine Stealer from a Timeline Perspective by Bertie Green & Brennan Egan
RedLine Stealer has been around since March 2020 and is the most prominent cyber threat impacting users worldwide over the last 365 days (AnyRun trend tracker). Here’s what it is and what you need to know!

What is RedLine Stealer?
RedLine Stealer is a malicious software known to be a pervasive keylogger and data exfiltration tool. The software steals account information necessary to gain remote access to a company’s environment and, once infiltrated, the bad actor can begin internal reconnaissance and optimization of additional malware delivery. During our investigations, we have identified an overlap between ransomware disclosures and associated passwords dumped through the releases of teaser data. The most significant exposures have been related to third-party contractors, hosting providers and software suppliers.
This malicious software is notoriously used by Russian adversaries and is easily purchased on the “dark web” for a few hundred dollars. As with many successful malware tools, it can be purchased as a standalone tool or leveraged as a SAAS offering, a feature we’ve seen more of in cybercrime. The proliferation of powerful cyber tools such as RedLine Stealer to a spectrum of users, from Nation State Actors to script kiddies, creates a broad range of potential attackers.
How it Works
The RedLine Stealer Command and Control panel is a GUI-based application installed on a Windows server and connects to the malware on the victim. The panel can control the malware by displaying, sorting, exporting, commenting, searching logs, creating downloads, and even running tasks. Here is a list of some of the functionalities:
Collects from browsers:
Login and passwords
Cookies
Autocomplete fields
Credit cards
Data collection from FTP clients, IM clients
File-grabber customizable by Path, Extension, Search-in-subfolders
Steal cryptocurrency cold wallets
Collects information about the potentially stolen system: IP, country, city, current username, HWID, keyboard layout, screenshot, screen resolution, operating system, UAC Settings, is the current build running with administrator privileges, User-Agent, information about PC hardware (video cards, processors), installed AntiMalware
Performing tasks such as:
Download - download a file from the link to the specified path
RunPE - injection of a 32-bit file downloaded from a link into another file
DownloadAndEx - download a file from the link to the specified path with the subsequent launch
OpenLink - open a link in the default browser
What Emagined is Seeing: Research Project Results Emagined Security’s Managed Security Services (MSS) team has worked proactively in counter-intelligence efforts by feeding false data into the RedLine Stealer networks. This false data includes Canary Token documents and false passwords that, if used, will alert us to adversarial activity, including IP addresses and browser profiles.

While the teaser dumps obtained are generally between 30 and 90 days old, Emagined Security has successfully prevented fraudulent transactions for our retail sector customers and system compromises for critical infrastructure and hospital sectors. We believe the adversaries leverage stolen cookies first to bypass MFA controls and spread their malware through email.
Once the cookies are no longer fresh, malicious actors provide incentive pricing and eventually rotate the older data into free teaser dumps. We find it essential for our clients to understand that while fresh data is the most valuable, hacker organizations follow the same principles of economics and cycle your data for an extended period. These free teasers create interest and buzz motivating “stay tuned!” behavior for malware authors of all skill levels.
We do have more granular intelligence available as well as methods of validating infection if you’d like to engage with our research team.
What You Can Do There are four main phases we suggest organizations strategize and execute balancing proactive cybersecurity discipl