Life on a crooked RedLine: Analyzing the infamous infostealer's backend
Essential information
- Published
- 17/11/2024 00:25
- Modified
- 18/11/2024 16:38
- Tags
- 2024-11-17 backend analysis control panel cybercrime data theft infostealer malware-as-a-service meta stealer redline stealer windows communication framework
- Related entities
- 1 intrusion sets (apt), 2 malware, 7 others
Description
This article provides an in-depth analysis of RedLine Stealer, a notorious information-stealing malware. The research focuses on previously undocumented backend modules and the control panel used by affiliates. Key findings include the identification of over 1,000 unique IP addresses hosting RedLine panels, the use of Windows Communication Framework for component communication, and the shared origin of RedLine and META Stealer. The analysis covers authentication processes, sample creation mechanisms, and network infrastructure details. The researchers also highlight security vulnerabilities in the backend, such as storing passwords in cleartext. The article concludes by discussing the takedown of RedLine and META Stealer in Operation Magnus, emphasizing the widespread nature of these threats despite being orchestrated by a small group of actors.