|
For roughly US$100, threat actors can purchase RedLine Stealer, a malware-as-a-service (MaaS) program first detected in March 2020 that continues to wreak havoc to this day. The malware can steal information from infected devices, including autocomplete and saved information on browsers, along with the system’s location, hardware configuration, and security software data.
RedLine Stealer’s accessibility and scope of data theft are a deadly combination, prompting the cybersecurity community to conduct in-depth research on the malware such as CloudSEK’s technical analysis.
Building on CloudSEK’s research and other sources of published indicators of compromise (IoCs), WhoisXML API researchers dove into RedLine Stealer’s DNS footprints. Our key findings include:
A sample of the additional artifacts obtained from our analysis is available for download from our website.
Our analysis covered 990 unique domains and IP addresses tagged as RedLine Stealer IoCs by CloudSEK and ThreatFox. We looked into their string usage, WHOIS details, IP geolocation data, and resolutions. Below are the details of our findings.
Several domains tagged as RedLine Stealer IoCs appeared to lure victims into downloading free or cracked versions of software. The word cloud below reflects that, with the most common strings used being “free,” “crack,” and “software.”
The IoCs mostly fell under the .com and .org generic top-level domain (gTLD) spaces. We also saw some new gTLDs, such as .xyz, .tech, .top, .pro, and .space, as shown in the chart below. In some cases, the threat actors registered the second-level domains (SLDs) using different TLDs. For example, the domain string “cracksoftware” appeared with .site and .space extensions.
We ran the malicious domains on Bulk WHOIS Lookup to retrieve their complete WHOIS information. Most of them were registered with Namecheap and Reg.ru, with each accounting for 28% of the total registration.
Almost all of the domains were created between July and November 2022. We also identified the most-used name server reflected in the image below.
About 31% of the IoCs were registered in Iceland and all had redacted WHOIS records protected by Withheld for Privacy EHF. Consistent with that, 84% of the domains had redacted WHOIS records. Still, we found five public registrant email addresses. We expanded these findings in later sections.
We ran all the IoCs on Bulk IP Geolocation to see how many still had IP resolutions and pinpoint their geolocations and administrators. About 92% of the RedLine Stealer IoCs currently resolved to IP addresses.
As shown in the chart below, most of the IP hosts were geolocated in the Netherlands, Russia, Germany, and the U.S.
On the other hand, the top ISPs included Hetzner Online GmbH and Partner LLC, Delis LLC, Amazon.com, Inc., and 106 others. The chart below shows the top 10 ISPs.
About half of the domains tagged as IoCs had active IP resolutions, with some still hosting or redirecting to a variety of web content. Here are a few examples.
We used the findings from our IoC analysis to uncover more domains possibly connected to RedLine Stealer. On Reverse WHOIS, we used some of the domains’ common WHOIS characteristics and text strings. These search strings were specifically used:
Aside from these search parameters, we also specified the SLDs so the tool would only return those that contained specific string combinations. The table below shows the strings and examples of the connected domains we found. More domain samples can be found in the Appendix.
“Software” | “Crack” |
---|---|
nostr[.]software revosoftware[.]company reversed[.]software carbonsparksoftware[.]blog carbonsparksoftware[.]cloud | crackedbedwars[.]com pccracked[.]org soft-warecrack[.]store crack-soft-ware[.]store crackedprograms[.]co.uk |
“Free” + “Ware” | “Software” + “App” |
freesoftwaredownload[.]net freewaregadgets[.]com freesoftwaresystem[.]com freesoftwareapk[.]com designsoftwarefree[.]com | codeapp[.]software applicationsoftwaredevelopment[.]com vpmapping[.]software bootstrappedsoftware[.]partners softwareapp[.]online |
We found 1,756 domains potentially connected to RedLine Stealer based on similar WHOIS details and string usage. While some may be legitimate software businesses, many hosted adult content and other suspicious pages.
Some examples include freesoftwareapk[.]com, which offers free software and features download buttons for each product, and softwareaktualisierung[.]live, which offers support services for Microsoft users. However, its WHOIS details can’t be attributed to the imitated organization.
Another reliable way to find more properties connected to the threat is to look at shared IP hosts. To do that, we used Reverse IP/DNS API and found that 98% of the IP addresses tagged as RedLine Stealer IoCs had 50 or fewer resolving domains. That may indicate they were dedicated IP addresses.
We found 750 IP-connected artifacts, some of which have already figured in malicious campaigns, including cybersquatting domains targeting Canada Post, Santander Bank, Scotia Bank, and Uniswap. Alarmingly, the Uniswap-related malicious domains continued to host content as shown below.
Threat analysis is critical to understanding malicious actors’ tactics, techniques, and procedures (TTPs). A more targeted IoC analysis can lead to suspicious and possibly dormant weapons.
By shedding light on the DNS footprints of public RedLine Stealer IoCs, we uncovered a total of 2,506 possible threat artifacts. Our analysis of the related properties shows that some have already figured in malicious campaigns, while others were suspicious.
If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.
Sponsored byRadix
Sponsored byDNIB.com
Sponsored byCSC
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byWhoisXML API
Sponsored byVerisign