Home
Forums
New posts
Search forums
What's new
New posts
New profile posts
Latest activity
Members
Current visitors
New profile posts
Search profile posts
Log in
Register
What's new
Search
Search
Search titles only
By:
New posts
Search forums
Menu
Log in
Register
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Home
Forums
CARDING & HACKING
HOSTING & BOTNET
RedLine Stealer distributed via NPM — a new threat for developers?
Message
<blockquote data-quote="Ghosthunter" data-source="post: 507" data-attributes="member: 6"><p><h4>Behavioral factor of the malware carrier</h4><p>There is no need for a full-fledged dynamic analysis here. Redline is simpler than a ballpoint pen in this respect. Therefore, I will simply list the main criteria by which you can determine whether your car is infected with this malware or not. I note that even though I advise you to use popular antivirus programs with a good reputation, they will not always help you.</p><p></p><p>The thing is that the creators of this stiller do not need to completely rewrite the code, but just change one variable or rename some method and after compiling this sample will have a completely different hash, which, alas, will no longer be in the antivirus databases. I did this simple manipulation — and here is the result:</p><p></p><p><img src="https://habrastorage.org/r/w1560/getpro/habr/upload_files/8ed/095/cef/8ed095cef3c1c75bcb38ee6505086c32.png" alt="8ed095cef3c1c75bcb38ee6505086c32.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p>So, how do you know that your car is infected with Redline Stealer, and your personal data has long been sold on some underground forum:</p><ol> <li data-xf-list-type="ol">First, no matter how trivial my words may sound, pay attention to the workload of your system. Redline eats up a lot of RAM. The test sample somehow took up as much as 500 MB.</li> <li data-xf-list-type="ol">Check for the above path in the Windows registry.</li> <li data-xf-list-type="ol">Use the TCPView utility to see which processes are communicating with remote hosts without your knowledge.</li> <li data-xf-list-type="ol">Check the AppData folder for strange executable files.</li> </ol><p></p><p><img src="https://habrastorage.org/r/w1560/getpro/habr/upload_files/966/770/a74/966770a7454ab668e7ea827bd15a2fdc.png" alt="966770a7454ab668e7ea827bd15a2fdc.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><h4>Conclusions</h4><p>Redline Stealer is certainly a very powerful modular spyware that is used by many attackers. But at the moment, this virus is spreading mainly through Seo Poisoning and sites with pirated software using the public NPM repository.</p><p></p><p>It is worth noting that over time, the malware code has changed little and the sample from 2020 practically does not differ from the sample from 2023. Both can be detected by modern antivirus programs without any problems.</p><p></p><p>Since the Redline is very flexible, it is not known what will happen next. So be vigilant and keep your eyes open.</p><p></p><p>Only one thing is upsetting — the negligence of monitoring groups, the same Microsoft could easily stop the activity of the malware. The IP addresses of Stiller's command servers are very easy to track and block, thereby constantly limiting the capabilities of cybercriminals. But no one does this, allowing the malware to spread and harm ordinary users.</p><p></p><p>And that's all I have, come on.</p></blockquote><p></p>
[QUOTE="Ghosthunter, post: 507, member: 6"] [HEADING=3]Behavioral factor of the malware carrier[/HEADING] There is no need for a full-fledged dynamic analysis here. Redline is simpler than a ballpoint pen in this respect. Therefore, I will simply list the main criteria by which you can determine whether your car is infected with this malware or not. I note that even though I advise you to use popular antivirus programs with a good reputation, they will not always help you. The thing is that the creators of this stiller do not need to completely rewrite the code, but just change one variable or rename some method and after compiling this sample will have a completely different hash, which, alas, will no longer be in the antivirus databases. I did this simple manipulation — and here is the result: [IMG alt="8ed095cef3c1c75bcb38ee6505086c32.png"]https://habrastorage.org/r/w1560/getpro/habr/upload_files/8ed/095/cef/8ed095cef3c1c75bcb38ee6505086c32.png[/IMG] So, how do you know that your car is infected with Redline Stealer, and your personal data has long been sold on some underground forum: [LIST=1] [*]First, no matter how trivial my words may sound, pay attention to the workload of your system. Redline eats up a lot of RAM. The test sample somehow took up as much as 500 MB. [*]Check for the above path in the Windows registry. [*]Use the TCPView utility to see which processes are communicating with remote hosts without your knowledge. [*]Check the AppData folder for strange executable files. [/LIST] [IMG alt="966770a7454ab668e7ea827bd15a2fdc.png"]https://habrastorage.org/r/w1560/getpro/habr/upload_files/966/770/a74/966770a7454ab668e7ea827bd15a2fdc.png[/IMG] [HEADING=3]Conclusions[/HEADING] Redline Stealer is certainly a very powerful modular spyware that is used by many attackers. But at the moment, this virus is spreading mainly through Seo Poisoning and sites with pirated software using the public NPM repository. It is worth noting that over time, the malware code has changed little and the sample from 2020 practically does not differ from the sample from 2023. Both can be detected by modern antivirus programs without any problems. Since the Redline is very flexible, it is not known what will happen next. So be vigilant and keep your eyes open. Only one thing is upsetting — the negligence of monitoring groups, the same Microsoft could easily stop the activity of the malware. The IP addresses of Stiller's command servers are very easy to track and block, thereby constantly limiting the capabilities of cybercriminals. But no one does this, allowing the malware to spread and harm ordinary users. And that's all I have, come on. [/QUOTE]
Name
Verification
Post reply
Home
Forums
CARDING & HACKING
HOSTING & BOTNET
RedLine Stealer distributed via NPM — a new threat for developers?
Top