RedLine Stealer has recently been disguised as an installer of the popular secure messaging app, Telegram, Minerva Labs recently wrote in a report. Redline Stealer is .Net based malware that has been used by attackers to harvest credentials from unsuspecting users.
Stealers are pieces of malicious code whose main purpose is to find and exfiltrate valuable data from an infected device. Attackers usually use them as either a second-stage payload or distribute them in the form of fake apps.
In their blog post, Minerva Labs researchers describe RedLine Stealer, its evasion techniques, and provide indicators of compromise.
According to them, the fake Telegram setup file is packed and highly obfuscated. As Detect-It-Easy, a program for determining types of files, couldn’t identify any known packer, the researchers had to do unpacking manually.
Having decompiled the malware, researchers saw most of the variable and function names were scrambled in order to make it harder to understand the malicious purpose of the code. In order to complicate reverse engineering efforts, too, the malware’s author used the control flow flattening technique in the packer modifying the normal program control flow by using numerous if/while statements.
The sample used both stenography and encryption to obfuscate the code by, for example, using malformed images that actually contain the malicious payload.
Minerva Labs team goes on to describe the full chain of code executions until the actual payload is revealed which was entirely un-obfuscated, allowing researchers to see its C&C address.
Minerva provided the following IOCs:
Hashes:
D516FA60F75B21B424D2D8DEB6CCE51A6620A603AA2A69E42E59DEA1961F11B9 (TelegramInstaller)
d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25 (Unpacked RedLine Stealer)
2ff5de07a6c72fdc54ed5fb40e6bd3726bd7e272384c892f8950c760cae65948 (Lightning.dll)
DNS Names:
dilendekal[.]xyz:80