|
RedLine Stealer seems to have stolen cybercriminals’ hearts as its usage has continued despite cybersecurity efforts to thwart it. Researchers have published reports about the stealer in the past, but its operators may have updated their arsenal with new domains and IP addresses to evade detection and consequent mitigation.
The Threat Intelligence Platform (TIP) research team recently amassed 53 domains identified as RedLine Stealer indicators of compromise (IoCs). As usual, we conducted an IoC list expansion analysis to identify as many potentially connected artifacts as possible to help organizations avoid infection and its nasty repercussions.
Our DNS deep dive into the RedLine Stealer IoCs led to the discovery of:
A sample of the additional artifacts obtained from our analysis is available for download from our website.
We began our in-depth analysis of the RedLine Stealer IoCs by looking at their current WHOIS records, which revealed that:
A closer look at the text string usage of the 53 domains identified as IoCs highlighted possible software impersonation, given the appearance of popular software makers’ or their applications’ names like adobe (adobepremierepro[.]tiny[.]us); anydesk (anydesk-go[.]com, anydesk-new[.]com, and anydesk-pro[.]com); expres-v, for “Express VPN,” perhaps (expres-v[.]com); whatisapp, a misspelled variant of “WhatsApp” (pc-whatisapp[.]com); and telegram (telegram-home[.]com) in the IoCs.
TIP showed that only adobepremierepro[.]tiny[.]us was accessible and seemed to be created through a URL shortening service. Anydesk-go[.]com, anydesk-new[.]com, anydesk-pro[.]com, expres-v[.]com, pc-whatisapp[.]com, and telegram-home[.]com, meanwhile, were inaccessible as of this writing.
WHOIS lookups for the domains anydesk-go[.]com, anydesk-new[.]com, anydesk-pro[.]com, expres-v[.]com, pc-whatisapp[.]com, and telegram-home[.]com revealed that all six had incomplete records. The property adobepremierepro[.]tiny[.]us, meanwhile, was excluded from the WHOIS lookup analysis since the root domain tiny[.]us seems to be a third-party service that was likely abused as part of the malicious campaign.
The official domain of WhatsApp (i.e., whatsapp[.]com) had a public WHOIS record. As such, we could infer that pc-whatisapp[.]com was not publicly attributable to the tech company.
While anydesk[.]com’s, expressvpn[.]com’s, and telegram[.]org’s WHOIS records were redacted, their owners did indicate a registrant country (i.e., Germany, the U.K., and the U.S., respectively) which was not the case for anydesk-go[.]com, anydesk-new[.]com, anydesk-pro[.]com, and expres-v[.]com. Meanwhile, the domains telegram-home[.]com and telegram[.]org had the same registrant country.
Some of the domains identified as IoCs also contained text strings associated with solution downloads like plugin (best-plugins[.]tiny[.]us); soft, a shortened form of “software,” (interactive-soft[.]xyz); and software (really-software[.]xyz).
To identify as many potentially connected artifacts as possible, we scrutinized the IoCs’ historical WHOIS records to obtain a list of email addresses. We found 37 email addresses, nine of which turned out to be public (i.e., unredacted and attributable to an individual or organization).
Next, we filtered the list of public email addresses to leave only those used to register a maximum of 50 domains. We were left with five public email addresses that were used to register a total of 91 domains after duplicates and those already identified as IoCs were filtered out.
We then looked closer into the 53 IoCs’ A records and found that they resolved to five unique IP addresses after duplicates were removed. Further scrutiny of the IP addresses’ geolocation data revealed that:
Only one of the IP addresses was seemingly dedicated and hosted one domain that had not already been identified as an IoC.
The TIP screenshots for the 92 connected domains revealed that only 48 remained accessible as of this writing. The remaining 44 were unreachable. We also discovered that:
Our IoC expansion analysis of the unreported RedLine Stealer domains led to the discovery of 134 potentially connected web properties in total (37 email addresses, 91 email-connected domains, five IP addresses, and one IP-connected domain).
If you wish to perform a similar investigation or learn more about the products used in this research, please don’t hesitate to contact us.
Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.
Sponsored byVerisign
Sponsored byVerisign
Sponsored byCSC
Sponsored byRadix
Sponsored byWhoisXML API
Sponsored byIPv4.Global
Sponsored byDNIB.com