Redline Stealer Trojan

Redline Stealer is a newly observed .NET-based information stealing trojan sold through a number of hacking forums.

Threat ID:: CC-3406
Category:: Trojan
Threat Severity:: Information only
Threat Vector:: Email spam
Published:: 25 March 2020 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Redline Stealer is a newly observed .NET-based information stealing trojan sold through a number of hacking forums.

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - All versions

Threat details

At the time of publication, Redline Stealer has been delivered exclusively through spam campaigns. These campaigns attempt to spoof emails sent by the Folding@Home distributed computing project regarding Covid-19.

Once installed, Redline Stealer will collect user and system information before connecting to a command and control server. It will then attempt to extract the following information:

Web browser data (Chromium- and Gecko-based browsers only):
- login credentials
- cookies
- auto-complete fields
- payment information
IM conversation histories
FTP client credentials
Cryptocurrency wallet credentials

Remediation steps

Type	Step
	To prevent and detect a trojan infection, NHS Digital advises that: Secure configurations are applied to all devices. Security updates are applied at the earliest opportunity. Tamper protection settings in security products are enabled where available. Obsolete platforms are segregated from the rest of the network. IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments. Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts. Administrative accounts are only used for necessary purposes. Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations. Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible. Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Type

Step

To prevent and detect a trojan infection, NHS Digital advises that:

Secure configurations are applied to all devices.
Security updates are applied at the earliest opportunity.
Tamper protection settings in security products are enabled where available.
Obsolete platforms are segregated from the rest of the network.
IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
Administrative accounts are only used for necessary purposes.
Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Main indicators

IP Addresses

66.206.18[.]186

URLs

bitbucket[.]org/example123321/download/downloads/foldingathomeapp.exe

Email Addresses

shannon@litegait[.]com

MD5 File Hashes

1ca9805cc22ed04125ae836f1ad23c16

SHA256 File Hashes

0ddd7d646dfb1a2220c5b3827c8190f7ab8d7398bbc2c612a34846a0d38fb32b
5df956f08d6ad0559efcdb7b7a59b2f3b95dee9e2aa6b76602c46e2aba855eff

Last edited: 29 June 2021 12:00 pm