Home / Industry

Signs of Ongoing RedLine Stealer Operation Found Through a DNS Deep Dive

RedLine Stealer seems to have stolen cybercriminals’ hearts as its usage has continued despite cybersecurity efforts to thwart it. Researchers have published reports about the stealer in the past, but its operators may have updated their arsenal with new domains and IP addresses to evade detection and consequent mitigation.

The Threat Intelligence Platform (TIP) research team recently amassed 53 domains identified as RedLine Stealer indicators of compromise (IoCs). As usual, we conducted an IoC list expansion analysis to identify as many potentially connected artifacts as possible to help organizations avoid infection and its nasty repercussions.

Our DNS deep dive into the RedLine Stealer IoCs led to the discovery of:

  • Five public email addresses from the IoCs’ current WHOIS records
  • 91 email-connected domains
  • Five IP addresses to which the domains identified as IoCs resolved
  • One IP-connected domain

A sample of the additional artifacts obtained from our analysis is available for download from our website.

DNS Deep Dive Findings about the RedLine Stealer IoCs

We began our in-depth analysis of the RedLine Stealer IoCs by looking at their current WHOIS records, which revealed that:

  • Only six of the 53 domains identified as IoCs (11%) had current WHOIS records.
  • The six domains identified as IoCs were distributed among four registrars led by GoDaddy.com and Namecheap, each accounting for two domains.
  • Three of the six domains with accessible WHOIS records were created in 2022, while one each was created in 1998, 2018, and 2023.
  • Five of the six domains with available WHOIS data were possibly registered in the U.K., while the remaining one was seemingly registered in the U.S.

A closer look at the text string usage of the 53 domains identified as IoCs highlighted possible software impersonation, given the appearance of popular software makers’ or their applications’ names like adobe (adobepremierepro[.]tiny[.]us); anydesk (anydesk-go[.]com, anydesk-new[.]com, and anydesk-pro[.]com); expres-v, for “Express VPN,” perhaps (expres-v[.]com); whatisapp, a misspelled variant of “WhatsApp” (pc-whatisapp[.]com); and telegram (telegram-home[.]com) in the IoCs.

TIP showed that only adobepremierepro[.]tiny[.]us was accessible and seemed to be created through a URL shortening service. Anydesk-go[.]com, anydesk-new[.]com, anydesk-pro[.]com, expres-v[.]com, pc-whatisapp[.]com, and telegram-home[.]com, meanwhile, were inaccessible as of this writing.

Screenshot of the page hosted on the IoC adobepremierepro[.]tiny[.]us

WHOIS lookups for the domains anydesk-go[.]com, anydesk-new[.]com, anydesk-pro[.]com, expres-v[.]com, pc-whatisapp[.]com, and telegram-home[.]com revealed that all six had incomplete records. The property adobepremierepro[.]tiny[.]us, meanwhile, was excluded from the WHOIS lookup analysis since the root domain tiny[.]us seems to be a third-party service that was likely abused as part of the malicious campaign.

The official domain of WhatsApp (i.e., whatsapp[.]com) had a public WHOIS record. As such, we could infer that pc-whatisapp[.]com was not publicly attributable to the tech company.

While anydesk[.]com’s, expressvpn[.]com’s, and telegram[.]org’s WHOIS records were redacted, their owners did indicate a registrant country (i.e., Germany, the U.K., and the U.S., respectively) which was not the case for anydesk-go[.]com, anydesk-new[.]com, anydesk-pro[.]com, and expres-v[.]com. Meanwhile, the domains telegram-home[.]com and telegram[.]org had the same registrant country.

Some of the domains identified as IoCs also contained text strings associated with solution downloads like plugin (best-plugins[.]tiny[.]us); soft, a shortened form of “software,” (interactive-soft[.]xyz); and software (really-software[.]xyz).

RedLine Stealer IoC List Expansion Results

To identify as many potentially connected artifacts as possible, we scrutinized the IoCs’ historical WHOIS records to obtain a list of email addresses. We found 37 email addresses, nine of which turned out to be public (i.e., unredacted and attributable to an individual or organization).

Next, we filtered the list of public email addresses to leave only those used to register a maximum of 50 domains. We were left with five public email addresses that were used to register a total of 91 domains after duplicates and those already identified as IoCs were filtered out.

We then looked closer into the 53 IoCs’ A records and found that they resolved to five unique IP addresses after duplicates were removed. Further scrutiny of the IP addresses’ geolocation data revealed that:

  • Four of the five IP addresses were geolocated in the U.S., while one had redacted information. Interestingly, this data does not coincide with the top registrant country—the U.K.
  • Amazon was the top Internet service provider (ISP), accounting for three of the IP addresses. One IP address was administered by Hurricane Electric, while one did not have public ISP data.

Only one of the IP addresses was seemingly dedicated and hosted one domain that had not already been identified as an IoC.

The TIP screenshots for the 92 connected domains revealed that only 48 remained accessible as of this writing. The remaining 44 were unreachable. We also discovered that:

  • 18 were parked and likely up for sale
  • 12 seemed to lead to live company web pages
  • 18 led to either error, blank, or loading pages

Our IoC expansion analysis of the unreported RedLine Stealer domains led to the discovery of 134 potentially connected web properties in total (37 email addresses, 91 email-connected domains, five IP addresses, and one IP-connected domain).

If you wish to perform a similar investigation or learn more about the products used in this research, please don’t hesitate to contact us.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.

By Threat Intelligence Platform (TIP), Enterprise-Grade Threat Intelligence APIs, Tools, and Services

Threat Intelligence Platform (TIP) offers easy to use threat intelligence tools, services, and APIs to get detailed information about hosts and the infrastructure behind them. Gathering data from different providers, utilizing our substantial internal databases (compiled for 10+ years), and also real-time host configuration analysis, our threat intelligence solutions provide an in-depth look at target hosts and are an essential addition to any threat detection toolkit.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global

New TLDs

Sponsored byRadix

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign

DNS

Sponsored byDNIB.com