Home
Forums
New posts
Search forums
What's new
New posts
New profile posts
Latest activity
Members
Current visitors
New profile posts
Search profile posts
Log in
Register
What's new
Search
Search
Search titles only
By:
New posts
Search forums
Menu
Log in
Register
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Home
Forums
CARDING & HACKING
HOSTING & BOTNET
RedLine Stealer distributed via NPM — a new threat for developers?
Message
<blockquote data-quote="Ghosthunter" data-source="post: 506" data-attributes="member: 6"><p><h4>Briefly about data theft from the Chrome browser</h4><p>After these simple and typical malware manipulations, Redline starts its main function-data theft. First, the virus receives commands from the C&C server operator that use the ScanningArgs class, which contains a list of plug-ins.</p><p></p><p>For example, an attacker purposefully wants to steal all possible data from the Chrome browser. In this case, the ScanChrome argument is used, which uses the C_H_R_O_M_E class.</p><p></p><p>Next, the ScanningArgs class defines the directory in which the search will be performed. In the case of the Chrome browser, it will look like this:</p><p></p><p><img src="https://habrastorage.org/r/w1560/getpro/habr/upload_files/332/71d/627/33271d62717b75434beb7787bbdf0a8c.png" alt="33271d62717b75434beb7787bbdf0a8c.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p>The directories and names of folders or files that the malware needs to search for are quite peculiar, this is the first time I've seen this and I assume that this is a primitive method of obfuscating the code.</p><p></p><p>After that, the following three methods can be used: ScanFills (steals autofill files), ScanCC (steals credit card information), and ScanCook (steals cookies). It is important to note that each of these methods is autonomous, meaning that an attacker can perform either one or all of them together, depending on their ultimate goals.</p><p></p><p>Let's take a closer look at the example using the ScanCC method, because I think it is the most relevant one. Since Chrome uses the SQLi table to store all data about saved bank cards, it is logical that the malware generates a query to this table using the ReadTable function. After reading this table, Redline decrypts the data, analyzes it, and writes it to the ScanResult file, which will then be sent to the command server.</p><p></p><h4>Briefly about stealing Telegram Desktop accounts</h4><p>I think it is no longer a secret for many that the Telegram Desktop application has one such interesting vulnerability, which is difficult to name as such. But nevertheless, it is very popular in the circles of intruders.</p><p></p><p><img src="https://habrastorage.org/r/w1560/getpro/habr/upload_files/a4b/38a/354/a4b38a354d6a1364ce4687873a57b24f.png" alt="a4b38a354d6a1364ce4687873a57b24f.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p>The thing is that by copying the tdata folder from one device and simply moving it to another, where the same version of messenger is installed, you will easily get into the account from the first device and Telegram will not require any additional checks.</p><p></p><p>Stealing this folder is a child function of stealing wallet.dat files, where seed phrases of crypto wallets are stored.The Cryptos class is responsible for this process.</p><p></p><p>First, use the same GetScanArgs method to set the directory where the necessary files will be searched. If they are detected, Redline uses the FileCopier class, namely one of its CopyFile methods, which simply copies the content and transfers it to the ScanResult file.</p><p></p><p>If the command server operator also wants to get Telegram accounts, then the DesktopMassengerRule class will be called, which will perform the same manipulations as the Cryptos class.</p><p></p><h4>Collecting information about the victim's device</h4><p>The SystemInfoHelper and SystemHardware classes are used to collect most of the information about the victim's device.</p><p></p><p><img src="https://habrastorage.org/r/w1560/getpro/habr/upload_files/96f/875/9b9/96f8759b9a9b944b7e05f0f209805bce.png" alt="96f8759b9a9b944b7e05f0f209805bce.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p>Their GetProcessors and GetGraphicCard methods are responsible for getting information about the hardware of the victim's device.</p><p></p><p>But more interesting is the GetFireWalls method, which uses the ManagementObjectSearcher system call and collects information about antivirus and antispyware programs, firewalls, and Windows security settings.</p><p></p><p>All this information will also be saved to the ScanResult file and transmitted to the command server.</p></blockquote><p></p>
[QUOTE="Ghosthunter, post: 506, member: 6"] [HEADING=3]Briefly about data theft from the Chrome browser[/HEADING] After these simple and typical malware manipulations, Redline starts its main function-data theft. First, the virus receives commands from the C&C server operator that use the ScanningArgs class, which contains a list of plug-ins. For example, an attacker purposefully wants to steal all possible data from the Chrome browser. In this case, the ScanChrome argument is used, which uses the C_H_R_O_M_E class. Next, the ScanningArgs class defines the directory in which the search will be performed. In the case of the Chrome browser, it will look like this: [IMG alt="33271d62717b75434beb7787bbdf0a8c.png"]https://habrastorage.org/r/w1560/getpro/habr/upload_files/332/71d/627/33271d62717b75434beb7787bbdf0a8c.png[/IMG] The directories and names of folders or files that the malware needs to search for are quite peculiar, this is the first time I've seen this and I assume that this is a primitive method of obfuscating the code. After that, the following three methods can be used: ScanFills (steals autofill files), ScanCC (steals credit card information), and ScanCook (steals cookies). It is important to note that each of these methods is autonomous, meaning that an attacker can perform either one or all of them together, depending on their ultimate goals. Let's take a closer look at the example using the ScanCC method, because I think it is the most relevant one. Since Chrome uses the SQLi table to store all data about saved bank cards, it is logical that the malware generates a query to this table using the ReadTable function. After reading this table, Redline decrypts the data, analyzes it, and writes it to the ScanResult file, which will then be sent to the command server. [HEADING=3]Briefly about stealing Telegram Desktop accounts[/HEADING] I think it is no longer a secret for many that the Telegram Desktop application has one such interesting vulnerability, which is difficult to name as such. But nevertheless, it is very popular in the circles of intruders. [IMG alt="a4b38a354d6a1364ce4687873a57b24f.png"]https://habrastorage.org/r/w1560/getpro/habr/upload_files/a4b/38a/354/a4b38a354d6a1364ce4687873a57b24f.png[/IMG] The thing is that by copying the tdata folder from one device and simply moving it to another, where the same version of messenger is installed, you will easily get into the account from the first device and Telegram will not require any additional checks. Stealing this folder is a child function of stealing wallet.dat files, where seed phrases of crypto wallets are stored.The Cryptos class is responsible for this process. First, use the same GetScanArgs method to set the directory where the necessary files will be searched. If they are detected, Redline uses the FileCopier class, namely one of its CopyFile methods, which simply copies the content and transfers it to the ScanResult file. If the command server operator also wants to get Telegram accounts, then the DesktopMassengerRule class will be called, which will perform the same manipulations as the Cryptos class. [HEADING=3]Collecting information about the victim's device[/HEADING] The SystemInfoHelper and SystemHardware classes are used to collect most of the information about the victim's device. [IMG alt="96f8759b9a9b944b7e05f0f209805bce.png"]https://habrastorage.org/r/w1560/getpro/habr/upload_files/96f/875/9b9/96f8759b9a9b944b7e05f0f209805bce.png[/IMG] Their GetProcessors and GetGraphicCard methods are responsible for getting information about the hardware of the victim's device. But more interesting is the GetFireWalls method, which uses the ManagementObjectSearcher system call and collects information about antivirus and antispyware programs, firewalls, and Windows security settings. All this information will also be saved to the ScanResult file and transmitted to the command server. [/QUOTE]
Name
Verification
Post reply
Home
Forums
CARDING & HACKING
HOSTING & BOTNET
RedLine Stealer distributed via NPM — a new threat for developers?
Top