Home
Forums
New posts
Search forums
What's new
New posts
New profile posts
Latest activity
Members
Current visitors
New profile posts
Search profile posts
Log in
Register
What's new
Search
Search
Search titles only
By:
New posts
Search forums
Menu
Log in
Register
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Home
Forums
CARDING & HACKING
HOSTING & BOTNET
RedLine Stealer distributed via NPM — a new threat for developers?
Message
<blockquote data-quote="Ghosthunter" data-source="post: 505" data-attributes="member: 6"><p>A shellcode is a part of the code embedded in a malicious program that allows you to get the command shell code after infecting the target system of the victim. Very often, shellcode is used as an exploit payload.</p><p></p><h4>We open the hunt for ShellCode: what's inside?</h4><p>To detect and capture it, we will use the Hollow Hunter utility with a single /shellc parameter.</p><p></p><p>Shellcodes were detected in three processes: explorer.exe, dwm.exe and in searchapp.exe. Even one glance through the notebook is enough to understand that they are all the same and clearly left by our stiller.</p><p></p><p>Now let's use the previously described method and convert the captured shellcodes into executable files for further analysis. But I was a little disappointed, as it turned out that these shellcodes are copies of the source code of the malware with some edits.</p><p></p><h4>Opening the ReadLine Stealer: start diving</h4><p>So, let's skip the previous topic and let's immediately tell you about the algorithm of this malware:</p><ol> <li data-xf-list-type="ol">Decryption of encoded strings and communication with the C&C server.</li> <li data-xf-list-type="ol">Fixing the malware in the system.</li> <li data-xf-list-type="ol">Directly stealing data or executing criminal commands.</li> </ol><p>Yes, the algorithm is stupidly simple, but this is compensated by the fact that due to its modular structure, Redline is very flexible and can implement quite a lot of tasks.</p><p></p><h4>Decryption of encoded strings and communication with the C&C server</h4><p>It is worth noting that instant communication with the command server is a very unusual move for malicious applications. As part of the analysis, we already had several stillers, so they first steal data, and only then contact the server. Most likely, this is due to the fact that Redline does not have any instructions in its code, unlike others, "like steal this, but you don't need this", so it is important for the virus to get instructions from C&C and only then deploy its malicious activity.</p><p></p><p>The same dnSpy and its function responsible for this process will help us find the entry point of this virus. The entry point is the Program class. Let's move on to viewing it.</p><p></p><p>The Execute extension immediately catches your eye, pointing to the EntryPoint class, from which the following four parameters will be decrypted via the StringDecrypt.Decrypt class:" Message"," Key"," IP "and" ID".</p><p></p><p>Surprisingly, when we go to this class, we see absolutely unencrypted data and the very message that I was surprised at earlier. It seemed to me that this might be some kind of malicious error in this particular version of the malware, but when I downloaded the older one, I saw the same thing.</p><p></p><p>Apparently, the criminal was not particularly concerned that the IP address of his command server would be discovered by someone, if at all.</p><p></p><p><img src="https://habrastorage.org/r/w1560/getpro/habr/upload_files/22f/55c/8f3/22f55c8f3821deed96f0f54d5d14be80.png" alt="22f55c8f3821deed96f0f54d5d14be80.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p>Attackers also collect information about whether this malware was previously run on the victim's machine. This check is done quite simply. Using the SeenBefore method, the presence of a folder at the following path is checked:</p><p></p><p>\AppData\Local\Yandex\YaAddon</p><p></p><p>If the folder was found, the method returns false. If it is not found, it will be created and the response will be true. These two values will be saved and sent to the command server.</p><p></p><p>Attackers may be interested in this for several reasons, but the most likely one is the following. If Redline was already running earlier on the victim's machine, then there is a chance that the account credentials were changed either by the user or by another attacker. Then the sale of stolen goods becomes a huge question mark.</p><p></p><h4>Pinning in the system</h4><p>After these checks and establishing a connection with the server, it is vital for the virus to gain a foothold on the victim's machine in order to continue its stiller activity in the event of a reboot or other things.</p><p></p><p>To do this, a new key will be created in the Windows registry along the path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000090250. The malware will also be added to normal Windows startup.</p><p></p><h3>Direct data theft</h3><h4>Stiller functionality:</h4> <ol> <li data-xf-list-type="ol">Theft of data such as:</li> </ol> <ul> <li data-xf-list-type="ul">Autofill data and cookies from such web browsers as: Opera, Firefox, Google Chrome, Microsoft Edge, Internet Explorer,</li> <li data-xf-list-type="ul">Discord tokens.</li> <li data-xf-list-type="ul">copy of the tdata folder from Telegram Desktop,</li> <li data-xf-list-type="ul">data from Filezilla-based FTP clients,</li> <li data-xf-list-type="ul">Steam, Epic Games, and Origin credentials,</li> <li data-xf-list-type="ul">keys to popular VPN services: NordVPN, OpenVPN, ProntonVPN,</li> <li data-xf-list-type="ul">data from cryptocurrency wallets. There are a lot of them in the list, all of them were listed earlier.</li> </ul> <ol> <li data-xf-list-type="ol">Collecting information about the victim's device: geolocation, hardware configuration, installed applications, and user name.</li> <li data-xf-list-type="ol">It can be used as a dropper, delivering other malware to the infected machine.</li> <li data-xf-list-type="ol">Output of windows with errors, the text of which is set by the attacker.</li> </ol><p>The feature set is really extensive. If you analyze all the features of this malware in detail, then this article will clearly not be enough. Therefore, we will go through only the most interesting ones.</p></blockquote><p></p>
[QUOTE="Ghosthunter, post: 505, member: 6"] A shellcode is a part of the code embedded in a malicious program that allows you to get the command shell code after infecting the target system of the victim. Very often, shellcode is used as an exploit payload. [HEADING=3]We open the hunt for ShellCode: what's inside?[/HEADING] To detect and capture it, we will use the Hollow Hunter utility with a single /shellc parameter. Shellcodes were detected in three processes: explorer.exe, dwm.exe and in searchapp.exe. Even one glance through the notebook is enough to understand that they are all the same and clearly left by our stiller. Now let's use the previously described method and convert the captured shellcodes into executable files for further analysis. But I was a little disappointed, as it turned out that these shellcodes are copies of the source code of the malware with some edits. [HEADING=3]Opening the ReadLine Stealer: start diving[/HEADING] So, let's skip the previous topic and let's immediately tell you about the algorithm of this malware: [LIST=1] [*]Decryption of encoded strings and communication with the C&C server. [*]Fixing the malware in the system. [*]Directly stealing data or executing criminal commands. [/LIST] Yes, the algorithm is stupidly simple, but this is compensated by the fact that due to its modular structure, Redline is very flexible and can implement quite a lot of tasks. [HEADING=3]Decryption of encoded strings and communication with the C&C server[/HEADING] It is worth noting that instant communication with the command server is a very unusual move for malicious applications. As part of the analysis, we already had several stillers, so they first steal data, and only then contact the server. Most likely, this is due to the fact that Redline does not have any instructions in its code, unlike others, "like steal this, but you don't need this", so it is important for the virus to get instructions from C&C and only then deploy its malicious activity. The same dnSpy and its function responsible for this process will help us find the entry point of this virus. The entry point is the Program class. Let's move on to viewing it. The Execute extension immediately catches your eye, pointing to the EntryPoint class, from which the following four parameters will be decrypted via the StringDecrypt.Decrypt class:" Message"," Key"," IP "and" ID". Surprisingly, when we go to this class, we see absolutely unencrypted data and the very message that I was surprised at earlier. It seemed to me that this might be some kind of malicious error in this particular version of the malware, but when I downloaded the older one, I saw the same thing. Apparently, the criminal was not particularly concerned that the IP address of his command server would be discovered by someone, if at all. [IMG alt="22f55c8f3821deed96f0f54d5d14be80.png"]https://habrastorage.org/r/w1560/getpro/habr/upload_files/22f/55c/8f3/22f55c8f3821deed96f0f54d5d14be80.png[/IMG] Attackers also collect information about whether this malware was previously run on the victim's machine. This check is done quite simply. Using the SeenBefore method, the presence of a folder at the following path is checked: \AppData\Local\Yandex\YaAddon If the folder was found, the method returns false. If it is not found, it will be created and the response will be true. These two values will be saved and sent to the command server. Attackers may be interested in this for several reasons, but the most likely one is the following. If Redline was already running earlier on the victim's machine, then there is a chance that the account credentials were changed either by the user or by another attacker. Then the sale of stolen goods becomes a huge question mark. [HEADING=3]Pinning in the system[/HEADING] After these checks and establishing a connection with the server, it is vital for the virus to gain a foothold on the victim's machine in order to continue its stiller activity in the event of a reboot or other things. To do this, a new key will be created in the Windows registry along the path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000090250. The malware will also be added to normal Windows startup. [HEADING=2]Direct data theft[/HEADING] [HEADING=3]Stiller functionality:[/HEADING] [LIST=1] [*]Theft of data such as: [/LIST] [LIST] [*]Autofill data and cookies from such web browsers as: Opera, Firefox, Google Chrome, Microsoft Edge, Internet Explorer, [*]Discord tokens. [*]copy of the tdata folder from Telegram Desktop, [*]data from Filezilla-based FTP clients, [*]Steam, Epic Games, and Origin credentials, [*]keys to popular VPN services: NordVPN, OpenVPN, ProntonVPN, [*]data from cryptocurrency wallets. There are a lot of them in the list, all of them were listed earlier. [/LIST] [LIST=1] [*]Collecting information about the victim's device: geolocation, hardware configuration, installed applications, and user name. [*]It can be used as a dropper, delivering other malware to the infected machine. [*]Output of windows with errors, the text of which is set by the attacker. [/LIST] The feature set is really extensive. If you analyze all the features of this malware in detail, then this article will clearly not be enough. Therefore, we will go through only the most interesting ones. [/QUOTE]
Name
Verification
Post reply
Home
Forums
CARDING & HACKING
HOSTING & BOTNET
RedLine Stealer distributed via NPM — a new threat for developers?
Top