CREDENTIAL-STEALING MALWARE MIGHT BE KNOCKING AT YOUR DOOR

A Review of RedLine Stealer from a Timeline Perspective by Bertie Green & Brennan Egan

RedLine Stealer has been around since March 2020 and is the most prominent cyber threat impacting users worldwide over the last 365 days (AnyRun trend tracker). Here’s what it is and what you need to know!

What is RedLine Stealer?

RedLine Stealer is a malicious software known to be a pervasive keylogger and data exfiltration tool. The software steals account information necessary to gain remote access to a company’s environment and, once infiltrated, the bad actor can begin internal reconnaissance and optimization of additional malware delivery. During our investigations, we have identified an overlap between ransomware disclosures and associated passwords dumped through the releases of teaser data. The most significant exposures have been related to third-party contractors, hosting providers and software suppliers.

This malicious software is notoriously used by Russian adversaries and is easily purchased on the “dark web” for a few hundred dollars. As with many successful malware tools, it can be purchased as a standalone tool or leveraged as a SAAS offering, a feature we’ve seen more of in cybercrime. The proliferation of powerful cyber tools such as RedLine Stealer to a spectrum of users, from Nation State Actors to script kiddies, creates a broad range of potential attackers.

How it Works

The RedLine Stealer Command and Control panel is a GUI-based application installed on a Windows server and connects to the malware on the victim. The panel can control the malware by displaying, sorting, exporting, commenting, searching logs, creating downloads, and even running tasks. Here is a list of some of the functionalities:

• Collects from browsers:

  • Login and passwords

  • Cookies

  • Autocomplete fields

  • Credit cards

• Data collection from FTP clients, IM clients

• File-grabber customizable by Path, Extension, Search-in-subfolders

• Steal cryptocurrency cold wallets

• Collects information about the potentially stolen system: IP, country, city, current username, HWID, keyboard layout, screenshot, screen resolution, operating system, UAC Settings, is the current build running with administrator privileges, User-Agent, information about PC hardware (video cards, processors), installed AntiMalware

• Performing tasks such as:

  • Download - download a file from the link to the specified path

  • RunPE - injection of a 32-bit file downloaded from a link into another file

  • DownloadAndEx - download a file from the link to the specified path with the subsequent launch

  • OpenLink - open a link in the default browser

What Emagined is Seeing: Research Project Results Emagined Security’s Managed Security Services (MSS) team has worked proactively in counter-intelligence efforts by feeding false data into the RedLine Stealer networks. This false data includes Canary Token documents and false passwords that, if used, will alert us to adversarial activity, including IP addresses and browser profiles.

While the teaser dumps obtained are generally between 30 and 90 days old, Emagined Security has successfully prevented fraudulent transactions for our retail sector customers and system compromises for critical infrastructure and hospital sectors. We believe the adversaries leverage stolen cookies first to bypass MFA controls and spread their malware through email.

Once the cookies are no longer fresh, malicious actors provide incentive pricing and eventually rotate the older data into free teaser dumps. We find it essential for our clients to understand that while fresh data is the most valuable, hacker organizations follow the same principles of economics and cycle your data for an extended period. These free teasers create interest and buzz motivating “stay tuned!” behavior for malware authors of all skill levels.

We do have more granular intelligence available as well as methods of validating infection if you’d like to engage with our research team.

What You Can Do There are four main phases we suggest organizations strategize and execute balancing proactive cybersecurity discipline and reactive preparedness. As much as we wish it was as easy as picking which vendor to buy a product from, there’s complexity and nuance within the people and process portions of execution that are critical to your success.

• Prevention

• Identification

• Response

• Recovery

Prevention Organizations can use these six preventative steps to prepare in advance for Credential Stealing attacks:

1: Monitor & Alert Prevention begins with active monitoring within your environment; Emagined created the One Clear Path approach ensuring all assets inclusive of hardware, software, cloud, data, and dataflows are visible and hence defensible. It is important to understand when anomalous traffic is present on your network. Devising a strategic plan or fine-tuning monitoring and alerting can be accomplished by reviewing your monitoring solutions:

• SIEM / MSSP Solutions

• Accepted and Denied Traffic Analysis

• Audit email and VPN logins to detect login events from VPN, TOR, or unauthorized countries

• Traffic Analysis & Correlation

• Prepare an Incident Response Plan

2: Perimeter Protection Protecting your perimeter requires the appropriate protection to stop it before it enters the environment. Organizations should not rely solely on MFA controls as cookies can be stolen. There is no better protection than stopping an event before it occurs:

• Mail Protection

• Network Protection

• Web Protection

• Firewall & Policy Enforcement Point Protection

• Penetration Testing Validation

3: End-point Protection In the event that Credential Stealing Malware evades your perimeter protections undetected, it is essential to have the necessary safeguards in place to stop it from permeating further. This control may combine several types of prevention technologies that work in concert to stop the infection from taking over the systems. Aspects of this section include:

• Malware Prevention & Detection

• Patch Management

• Application Whitelisting

• Reputation Baselining and Analysis

• Behavioral Analytics

• Infection Isolation Preparation

4: Data Protection Controls are not always 100% effective in preventing Credential Stealing Malware so organizations need to prepare for the case where a machine or network gets infected. The next level of defense is the protection of data and backups:

• Discretionary Access Controls

• Data Encryption

• DRP / BRP (Critical)

• Data & Backup Isolation / Offsite

• Data Loss Prevention

5: User Awareness & Training Lastly, the best defense an organization has is an aware and informed staff. Knowing when to click on an email or website is critical to safeguarding an environment. Training your users in an effective and expedient manner significantly helps prevent future occurrences:

• Phishing Programs

• Security Awareness

• Internet Use Policies

• Annual Staff Security Training

• On-demand Resources

6: Third-Parties and BYOD Controls Organizations should insist that third-party contractors, development teams, and web service providers use machines protected by reputable Anti-Virus / Extended Detection & Response (XDR) toolsets:

• Organizations should audit contractor logins and permit only specific IP addresses

• When possible, limit contractor access to the minimum levels needed to perform that task

• If contractors must share accounts, enforce a central jump host and activate transaction logging to capture all commands launched on that host

Identification

If you suspect something is going on with your computer: Immediate Action Items

• Document all observations and actions

• Contact the Security Incident Response Team Manager

• Evaluate and verify the malicious code

• Isolate the machine from the network

• Notify the appropriate personnel

• Establish the scope of the infection

• Assess the immediate risk

Secondary Action Items

• Back up all work and system files

• Install and use reputable updated Antimalware / Extended Detection & Response (XDR) software

Evidence Collection

• Check for any modifications to the system files and make sure that the modifications are corrected

Corrective Measures

• Identify, evaluate, test, and implement corrective measures

• Determine if the system can be cleaned or if a restore from backup is required

• Update Antimalware / Extended Detection & Response (XDR) software with the most current virus signature files.

• Assist the user in determining and eradicating the Malware from the systems

• Boot the system from write-protected known clean media

• Run disinfecting program on all drives and systems, checking for any residual Malware infection

Evaluation

• Assess response procedures and implement improvements

Response If you determine you were compromised, here are some steps you can take to minimize future impacts:

Immediate Action Items

• Rebuild your computer

• Turn on Phishing Resistant 2-Factor for Potentially Stolen Accounts

• Turn on device logging for current systems

• Change Passwords on Potentially Stolen Accounts

Secondary Action Items

• Install a reputable Password Manager

• Change Password on ALL Personal Email Accounts

• Change Password on ALL Financial Systems (Bank of America, Chase, Etc.)

• Change Password on Other Important Systems

• Take out Trusted Devices on Authentication Services (e.g., Google, Facebook)

• Consider changing user accounts / passwords on general internet sites that may be of interest to Attacker

• Change Mobile (e.g., AppleID) passwords

• Consider changing account type to non-administrator on personal systems

Tertiary Action Items

• Notify Banks & Financial Institutions of Suspicious Activity

• Notify IRS and Request an Identity Protection Pin

  • https://www.irs.gov/individuals/get-an-identity-protection-pin

• Place a Credit Fraud Alert on Your Account

  • https://www.consumer.ftc.gov/articles/0275-place-fraud-alert

• Review USA.gov Recommended Identity Theft Suggestions

  • https://www.usa.gov/identity-theft

Recovery If you have access to the infected machine and you can manually perform a review, you can assume all data on the system was compromised. If you don’t have access to the system, you may need technical support to determine what might have been stolen. Note: If any of these actions were already performed during the Identification or Response phases, they do not need to be performed a second time – they are included in this section to ensure no steps were missed.

• Verify no infections persist before taking the following actions.

• Work with your corporation to change User Authentication Data Used with Communication & Internal Corporate Systems

  • Domain Password

  • VPN Portals

  • SFTP Clients

  • IM Clients

• Change / Reset Data Login and passwords contained in Local Browsers

• Review Authentication Cookies in your browsers and reset associated accounts (e.g., Apple Accounts, Google Authentication)

• Review Autocomplete fields in browsers to see if any other sensitive information may have been compromised and change any sensitive or authentication stored data

• Change any credit cards numbers that may have been compromised or request additional alerts to detect unauthorized transactions

• Move or take offline any cryptocurrency wallets funds stored on the computer

• Review computer for other sensitive information and inform the organization’s security team

• If you can acquire the exact data that was stolen, review data for additional steps can be taken (see the Dump Monitoring Section)

Dump Monitoring To operationalize this data, Emagined Security has developed tools that obtain, parse, and alert customers within minutes of the data dump being released. Our code does not interact with the stolen data (screenshots, documents, etc.) instead, analyzes what information was stolen so actionable intelligence can be acquired.

Time to Build / Acquire a SOC for 24x7 Monitoring In the current geopolitical climate, our firm anticipates this activity will continue. Acting proactively will save you the headache of a breach. If you have the time, resources, and budget, it is reasonable to start working on building out a security operations center (SOC). For the majority of organizations, this may be too large of an ask. However, that does not mean you are incapable of protecting yourself. Hiring a managed security services provider (MSSP) will give you all of the 24/7 cyber monitoring and incident response that you would get out of a full SOC but at under half the cost of running one yourself. In addition, when working with a firm such as Emagined Security, you are getting experts in the field who are constantly training their personnel to progress in the cybersecurity field.

To find out more about how you can afford a managed security services provider, click here, or contact us at sales@emagined.com