Life on a Crooked RedLine:
Analyzing the Infamous InfoStealer's Backend
Alexandre Côté Cyr | Mathieu Lavoie
RedLine Stealer, first observed in 2020, is one of the most widely known information stealing malware. It operates on a Malware-As-A-Service (MaaS) model and is sold via forums and Telegram where affiliates can buy an all-in-one Control Panel. This panel can generate stealer samples, function as a C&C server for these samples, and manage the stolen information. Many of these affiliates then sell the collected logs over similar channels.
During one of our investigations, we uncovered the modules that form the third layer of the MaaS infrastructure, namely the backend server for the control panels themselves. Unlike the other components of RedLine, this backend has never been publicly documented. The presentation will start with a quick high-level overview of the RedLine malware, its prevalence, and its features in order to give all attendees a baseline understanding of how it works. We will then go over the most common infection methods, as well as a dive into the stealer logs market, covering their role in financial fraud, data breaches, and targeted attacks. The stealer logs aftermarket varies greatly in distribution channels; the presentation will offer visibility into the volume of sales and how specialized threat actors are leveraging stealer logs as a vector to facilitate cybercrime.
Then, we will present the control panel used by the affiliates, focusing on features specific to the most recent versions we found. We will also provide some insights into the network communication and infrastructure the panel uses to communicate with its backend.
The main section of this talk will be a technical analysis of the backend server software written in C#. This server consists of two modules working in tandem which we will describe in turn. The first one is named "LoadBalancer" and its role, along with handling network communication, is to provide services for the panels. These services include generating samples of the RedLine malware and obfuscating them, generating samples of a lesser-known clipboard-hijacker, and signing files. The second module, named "DbController", is responsible for user authentication and advertisements that are displayed in the control panel. As we describe these modules, we will highlight some of the weird design choices and poor security practices used by the developers.
The presentation will conclude with a demo of the control panel and backend in a virtual network.