For roughly US$100, threat actors can purchase RedLine Stealer, a malware-as-a-service (MaaS) program first detected in March 2020 that continues to wreak havoc to this day. The malware can steal information from infected devices, including autocomplete and saved information on browsers, along with the system’s location, hardware configuration, and security software data.

RedLine Stealer’s accessibility and scope of data theft are a deadly combination, prompting the cybersecurity community to conduct in-depth research on the malware such as CloudSEK’s technical analysis.

Building on CloudSEK’s research and other sources of published indicators of compromise (IoCs), WhoisXML API researchers dove into RedLine Stealer’s DNS footprints. Our key findings include:

• 92% of the IoCs continue to resolve to sites
• 1,700+ artifacts connected to the threat IoCs through WHOIS details and string usage
• 700+ connected properties that share the IoCs’ IP hosts
• Some artifacts targeted banks, a decentralized financial (De-Fi) platform, and a courier

A sample of the additional artifacts obtained from our analysis is available for download from our website.

RedLine Stealer IoC Analysis

Our analysis covered 990 unique domains and IP addresses tagged as RedLine Stealer IoCs by CloudSEK and ThreatFox. We looked into their string usage, WHOIS details, IP geolocation data, and resolutions. Below are the details of our findings.

String Analysis of the IoCs

Several domains tagged as RedLine Stealer IoCs appeared to lure victims into downloading free or cracked versions of software. The word cloud below reflects that, with the most common strings used being “free,” “crack,” and “software.”

The IoCs mostly fell under the .com and .org generic top-level domain (gTLD) spaces. We also saw some new gTLDs, such as .xyz, .tech, .top, .pro, and .space, as shown in the chart below. In some cases, the threat actors registered the second-level domains (SLDs) using different TLDs. For example, the domain string “cracksoftware” appeared with .site and .space extensions.

WHOIS Characteristics of the IoCs

We ran the malicious domains on Bulk WHOIS Lookup to retrieve their complete WHOIS information. Most of them were registered with Namecheap and Reg.ru, with each accounting for 28% of the total registration.

Almost all of the domains were created between July and November 2022. We also identified the most-used name server reflected in the image below.

About 31% of the IoCs were registered in Iceland and all had redacted WHOIS records protected by Withheld for Privacy EHF. Consistent with that, 84% of the domains had redacted WHOIS records. Still, we found five public registrant email addresses. We expanded these findings in later sections.

IP Geolocation Analysis

We ran all the IoCs on Bulk IP Geolocation to see how many still had IP resolutions and pinpoint their geolocations and administrators. About 92% of the RedLine Stealer IoCs currently resolved to IP addresses.

As shown in the chart below, most of the IP hosts were geolocated in the Netherlands, Russia, Germany, and the U.S.

On the other hand, the top ISPs included Hetzner Online GmbH and Partner LLC, Delis LLC, Amazon.com, Inc., and 106 others. The chart below shows the top 10 ISPs.

Content Hosted on the IoCs

About half of the domains tagged as IoCs had active IP resolutions, with some still hosting or redirecting to a variety of web content. Here are a few examples.

IoC Expansion: Uncovering Additional Suspicious Domains

WHOIS-Connected Artifacts

We used the findings from our IoC analysis to uncover more domains possibly connected to RedLine Stealer. On Reverse WHOIS, we used some of the domains’ common WHOIS characteristics and text strings. These search strings were specifically used:

• Registrar name: Starts with Namecheap
• Name server: Starts with DNS1.REGISTRAR-SERVERS.COM
• Creation date: From 1 July - 20 December 2022

Aside from these search parameters, we also specified the SLDs so the tool would only return those that contained specific string combinations. The table below shows the strings and examples of the connected domains we found. More domain samples can be found in the Appendix.

We found 1,756 domains potentially connected to RedLine Stealer based on similar WHOIS details and string usage. While some may be legitimate software businesses, many hosted adult content and other suspicious pages.

Some examples include freesoftwareapk[.]com, which offers free software and features download buttons for each product, and softwareaktualisierung[.]live, which offers support services for Microsoft users. However, its WHOIS details can’t be attributed to the imitated organization.

IP-Connected Artifacts

Another reliable way to find more properties connected to the threat is to look at shared IP hosts. To do that, we used Reverse IP/DNS API and found that 98% of the IP addresses tagged as RedLine Stealer IoCs had 50 or fewer resolving domains. That may indicate they were dedicated IP addresses.

We found 750 IP-connected artifacts, some of which have already figured in malicious campaigns, including cybersquatting domains targeting Canada Post, Santander Bank, Scotia Bank, and Uniswap. Alarmingly, the Uniswap-related malicious domains continued to host content as shown below.

Threat analysis is critical to understanding malicious actors’ tactics, techniques, and procedures (TTPs). A more targeted IoC analysis can lead to suspicious and possibly dormant weapons.

By shedding light on the DNS footprints of public RedLine Stealer IoCs, we uncovered a total of 2,506 possible threat artifacts. Our analysis of the related properties shows that some have already figured in malicious campaigns, while others were suspicious.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.