Introduction
Redline is a type of stealer malware that has been around since at least 2013. It is a multifunctional tool that can be used to steal confidential information, launch denial-of-service attacks, and perform malicious activities such as data exfiltration and remote code execution. Redline is a highly modular malware that is capable of downloading additional malicious payloads as well as updating itself. It has been observed in a variety of targeted attacks, including espionage campaigns and ransomware attacks and has been used by multiple threat actors in a variety of campaigns.
The most notable threat actors associated with previous Redline activity are the APT10 and Sofacy threat groups. APT10 is believed to be a Chinese state-sponsored group that has been active since at least 2009 and has targeted a variety of organizations, including government agencies and technology companies. Sofacy is believed to be a Russian-affiliated group that has been active since at least 2007 and has primarily targeted government agencies and embassies in the United States and Europe. Redline Information Stealer is typically delivered through malicious email attachments, malicious websites, and other malicious sources and is also able to spread through peer-to-peer networks.
In this article we will analyze the typical behavior or a recent Redline sample observed ITW and will examine how FortiEDR effectively detects and mitigates behavior associated with this threat. In addition, we will provide some FortiEDR Threat Hunting queries that will allow your SOC to add additional context to security events triggered by this common malware family.
Attack Diagram
Figure 1. Attack diagram showing the infection chain associated with the Redline stealer sample analyzed throughout this article. Note that Redline is distributed as part of numerous campaigns so stages may vary between variants.
Execution Analysis
On first execution of a recent Redline sample (Setup.exe), FortiEDR flags a security event on the Redline executable as an ‘Unconfirmed Executable’. In this case the executable was flagged as machine learning algorithms within Fortinet Cloud Services identified a number of indicators within the executable associated with malicious executables and the file could not be verified. During this testing FortiEDR was in monitor mode and did not block any activity but if it had Prevention mode enabled this detection would have stopped initial execution. The associated security event can be seen below in Figure 2.
Figure 2. FortiEDR identifies the unknown Redline stealer sample through machine learning integration with the Fortinet Cloud Services backend. This is a screenshot of the related security event through the FortiEDR interface.
On execution the main executable process (Setup.exe) attempts a network connection to a randomized URL, in the case of testing for this analysis the URL was ‘http[://]gqSCBlsNWYQQzjBeXxy5kS9zP[.]iYX7Z7YniQEQJYp0N/’. This is likely to test if it’s in a honeypot or is being analyzed in an environment that is linked to inetsim[1] or similar. If the connection is successful, this check fails. This behavior is detected by FortiEDR and some details of the related security event associated with this connection attempt is show below in Figure 3.
Figure 3. FortiEDR detects and blocks network attempts from the main Redline executable, in this case these network connections are web requests for a randomized domain.
Once this check is passed, the main process (Setup.exe in the case of this testing) will perform a HTTP request for the resource “https[://]loopplanet[.]com/fonts/library.bin”. This request is used to download the main Redline payload including the configuration file. FortiEDR detects this network connection through a security event, like that shown above in . Update Jan 2023: This C2 is no longer actively serving a Redline config.
Figure 4. FortiEDR Threat Hunting events showing the HTTP requests sent by the main Redline process, first to the random URL and then to the compromised ‘loopplanet’ webpage which hosts the Redline payload and config.
This domain is associated with what appears to be a compromised webserver hosting content related to a crypto based social media platform ‘Loop Planet’. The URL is flagged by FortiGuard Central Threat System (CTS) as a known malicious website used for C2 as shown in Figure 5 below.
Figure 5. FortiGuard CTS identifies this domain as a high confidence compromised website associated with malware installation since at least late November 2022.
Following this connection an instance of ‘ngentask.exe’ is spawned by the main process (Setup.exe) then hollowed. Ngentask.exe is a signed Microsoft binary that forms part of the .NET framework used to execute .NET applications. Ngentask.exe is not commonly monitored by antivirus software or may have been excluded from alerts to filter out alert false positives. The hollowing of this process in particular is likely a defense evasion technique to take advantage of the fact that ngentask is often spawned following execution of a .NET binary. The ‘ngentask.exe’ process is hollowed and the file downloaded from this URL (main Redline payload) is then loaded into the hollowed process and executed. This process hollowing behavior and subsequent network connections to C2 is detected and mitigated by FortiEDR’s Exfiltration Prevention policy as shown below in Figure 6.
Figure 6. FortiEDR security event triggered by the main Redline process, Setup.exe, performing process hollowing on the ngentask.exe process to inject the main Redline payload prior to connecting to external C2.
The hollowed process attempts network connections to the IP 212[.]192.31.207 on port 3346. Looking up this IP in FortiGuard Central Threat System (CTS) identifies this as a current C2 IP associated with the Redline stealer as shown in Figure 7 below.
Figure 7. FortiGuard CTS identifies this IP as being associated with Redline C2 since at least late November 2022. Note the high confidence rating where the network connection is on port 3346.
Once the initial connection occurs the hollowed process continues to connect to the C2 periodically every few minutes awaiting commands. Given this C2 has been identified and tagged accurately by the FortiGuard Threat Intelligence team as hosting a malicious website, endpoints protected by FortiEDR or any other components of the Fortinet Security Fabric that take advantage of this threat intelligence will be protected from communication with this C2.
Conclusion
As highlighted in the above article, FortiEDR provides a layered defense against the behaviors related to the installation and utilization of stealers such as Redline. This layered approach maximizes the protection afforded by an established FortiEDR solution and minimizes the impact of human error during the tuning process. FortiEDR Threat Hunting provides opportunities to build even more targeted detections through scheduled queries as highlighted in the Threat Hunting queries shown below. Scheduled queries can be used to reduce event triage time by providing additional context to standard security events that can assist a SOC team in more quickly identifying a Redline intrusion.
Threat Hunting
The following query will identify FortiEDR HTTP requests events associated with known malicious URLs linked to installation stage of the analyzed Redline sample from this article. Note that this query should be expanded to include new Redline installation URLs as they are identified.
Type:"HTTP Request" AND URL: "https\:\/\/loopplanet.com\/fonts\/library.bin"
The following query will identify FortiEDR Socket Connect events associated with known malicious IP:Port combinations associated with C2 stage of the analyzed Redline sample from this article. Note that this query should be expanded to include new Redline C2 IPs/ports as they are identified.
Type:"Socket Connect" AND (RemoteIP:"212.192.31.207" AND RemotePort:"3346")
MITRE Techniques
TA0042 – Resource Development
|
Technique ID |
Technique Description |
Observed Activity |
|
T1584 |
Compromise Infrastructure |
As part of the campaign linked to the analyzed Redline stealer, the responsible threat actor appears to have compromised external infrastructure (loopplanet) as was using this compromised infrastructure to host its may Redline payloads. |
TA0002 – Execution
|
Technique ID |
Technique Description |
Observed Activity |
|
T1204.002 |
User Execution: Malicious File |
The infection chain starts when a user downloads and executes a fake installer or fake update. This installer/update is the Redline loader (in this case 'Setup.exe'). |
TA0005 – Defense Evasion
|
Technique ID |
Technique Description |
Observed Activity |
|
T1055.012 |
Process Injection: Process Hollowing |
Redline spawns an instance of the legitimate ngentask.exe executable in suspended mode and hollows it to inject the final Redline agent payload. |
|
Technique ID |
Technique Description |
Observed Activity |
|
T1627 |
Execution Guardrails |
The Redline loader first checks whether a random URL is reachable through a web request. If the URL is reachable the loader will not continue to execute. This is likely to prevent to sample executing in some sandbox environments. |
TA0011 – Command and Control
|
Technique ID |
Technique Description |
Observed Activity |
|
T1571.001 |
Non-Standard Port |
Redline C2 uses port 3346 which is not likely to be a standard port used in most environments. |
|
Technique ID |
Technique Description |
Observed Activity |
|
T1071 |
Application Layer Protocol |
Redline loader downloads the main Redline payload for loading into the hollowed process via a standard HTTP web request. |
IOCs
The following IOCs were extracted from analysis conducted as part of generating this article, from live events in FortiGuard MDR customer environment and through pivoting in FortiGuard malware databases. Redline infrastructure changes regularly so only indicators linked to the same campaign as the sample analyzed in this article have been included for brevity.
|
Indicator Description |
Indicator |
Indicator Type |
Associated Tactic |
Notes |
First Observed |
|
Redline Installation URL |
https[://]loopplanet[.]com/fonts/library.bin |
Domain |
Installation |
URL contacted to download main Redline payload and config during installation |
29-11-22 |
|
Redline C2 IP and port |
212.192.31[.]207:3346 |
IP Address and port |
C2 |
Redline C2 for main payload |
29-11-22 |
|
Redline file hash |
6E1F82FD9D610C85CF626774FFAD8DE24843E36C |
SHA1 |
Installation |
Redline executable |
29-11-22 |
|
Redline C2 IP and port |
185.106.92[.]214:2510 |
IP Address and port |
C2 |
Redline C2 for main payload |
29-11-22 |
|
Redline C2 IP and port |
116.202.5[.]223:28786 |
IP Address and port |
C2 |
Redline C2 for main payload |
29-11-22 |
|
Redline C2 IP and port |
45.15.156[.]60:39908 |
IP Address and port |
C2 |
Redline C2 for main payload |
29-11-22 |
|
Redline C2 IP and port |
172.86.120[.]146:2819 |
IP Address and port |
C2 |
Redline C2 for main payload |
29-11-22 |
|
Redline C2 IP and port |
91.227.41[.]144:13353 |
IP Address and port |
C2 |
Redline C2 for main payload |
29-11-22 |
|
Redline C2 IP and port |
185.196.20[.]55:45433 |
IP Address and port |
C2 |
Redline C2 for main payload |
29-11-22 |
|
Redline C2 IP and port |
85.208.136[.]178:46539 |
IP Address and port |
C2 |
Redline C2 for main payload |
29-11-22 |
