Life on a crooked RedLine: Analyzing the infamous infostealer’s backend

UPDATE (November 12^th, 2024): We clarified the information in the fourth paragraph to better reflect RedLine's functionality before versus after the takedown.

On October 28^th, 2024, the Dutch National police, alongside the FBI, Eurojust, and several other law enforcement organizations, performed a takedown of the infamous RedLine Stealer malware-as-a-service (MaaS) operation, and its clone called META Stealer. This global effort, named Operation Magnus, resulted in the takedown of three servers in the Netherlands, the seizure of two domains, two people being taken into custody in Belgium, and the unsealing of charges against one of the alleged perpetrators in the United States.

Back in April 2023, ESET participated in a partial disruption operation of the RedLine malware, which consisted of the removal of several GitHub repositories used as dead-drop resolvers for the malware’s control panel. Around that time, we investigated previously undocumented backend modules of this malware family in collaboration with fellow researchers at Flare. These modules don’t interact directly with the malware, but rather handle authentication and provide functionality for the control panel.

Since RedLine has now been taken down, we are revealing our findings from 2023 publicly, along with some more recent discoveries that were made based on source code and samples shared with us by the Dutch National Police.

Note that most of this analysis was performed before the takedown. Additionally, there are old, cracked copies of the malware that might still work. This is why we are describing the RedLine operation as if it is an ongoing activity.

Key points of the blogpost:

• In 2023, ESET researchers, in collaboration with law enforcement, collected multiple modules used to run the infrastructure behind RedLine Stealer.
• We analyzed these previously undocumented modules to provide insight into the internal workings of this malware-as-a-service empire.
• We were able to identify over 1,000 unique IP addresses used to host RedLine control panels.
• The 2023 versions of RedLine Stealer we investigated in detail used the Windows Communication Framework for communication between the components, while the latest version from 2024 uses a REST API.
• Based on our analysis of the source code and backend samples, we have determined that Redline Stealer and META Stealer share the same creator.

RedLine Stealer is information stealing malware first discovered in 2020 by Proofpoint. Rather than being centrally operated, RedLine operates on a MaaS model in which anyone can buy a turnkey infostealer solution from various online forums and Telegram channels. Clients, called affiliates, can opt for a monthly subscription, or a lifetime license; in exchange for their money, they get a control panel that generates malware samples and acts as a C&C server for them. The generated samples can collect a large variety of information, including local cryptocurrency wallets; cookies, saved credentials, and saved credit card details from browsers; and saved data from Steam, Discord, Telegram, and various desktop VPN applications.

Using a ready-made solution makes it easier for the affiliates to integrate RedLine Stealer into larger campaigns. Some notable examples include posing as free downloads of ChatGPT in 2023, and masquerading as video game cheats in the first half of 2024.

Note on terminology used

 

Because of its MaaS model, any comprehensive discussion of RedLine will involve multiple different components and layers of network infrastructure. To limit any possible confusion, we will use the following terms consistently throughout the text:

• RedLine malware: The RedLine Stealer malware or a sample thereof.
• RedLine panel: GUI control panel used to manage infostealing campaigns.
• RedLine backend: Collection of modules that provide authentication and functionality for the RedLine panel.
• RedLine: The whole malware operation. This includes the RedLine malware, the RedLine panel, and the RedLine backend modules.
• Backend server: A server on which the RedLine backend runs.
• Victim: Entity targeted with the RedLine malware.
• Operator: The individual or team that develops RedLine, sells licenses, and operates the licensing and associated backend infrastructure.
• Affiliate: Entity that operates infostealing campaigns via an instance of the RedLine panel. They usually have a license bought from the operator, but may also use a cracked version of the panel.

Overview

In this blogpost we document modules running on RedLine’s backend servers to provide a greater understanding of the inner workings of this MaaS empire. We also provide some information on the RedLine panel. Figure 1 contains a simplified overview of the whole RedLine operation.

Ordinarily, known samples of RedLine panel distributed to affiliates are heavily packed and virtualized after the first layer of obfuscation is applied. But as we were looking through our telemetry for activity related to RedLine Stealer and its panel, we came across an old version of the RedLine panel that was only obfuscated with .NET Reactor, making it much easier to analyze.

RedLine’s toolset

All the components of RedLine, from the malware itself to the backend authentication server, are written in C# with the .NET framework. The versions we analyzed used the Windows Communication Foundation (WCF) framework to communicate with each other. This framework allows one to define an API using contracts, which are statements applied to classes and interfaces to specify how objects and actions are translated between their representation in the code and the network communications. Thus, programs that interact using this framework must share definitions of these data structures or classes. These shared models proved useful in our analysis of the obfuscated components.

Note that the latest 2024 RedLine version uses a REST API instead of WCF to communicate with the backend.

RedLine panel

This control panel is what affiliates can buy on forums and Telegram channels. Licenses sell for US$150 per month or US$900 for a lifetime license. In exchange for the money, the affiliates get a GUI through which they manage their campaigns, with features to configure what information to collect, create malware samples, view and manage collected information, and integrate with a Telegram bot to sell stolen information.

The 2023 versions of the panel we investigated were heavily obfuscated using DNGuard, a well-known .NET obfuscator, and BoxedApp, a commercial packer and virtualization library. Luckily for us, RedLine used the WCF framework so the panel had to share some classes and interfaces with other components. By analyzing these shared elements from the malware and backend components, which are less protected, we were able to understand a lot of the panel’s functionality despite the protections.

All RedLine panels from 2023 were signed with certificates issued to AMCERT,LLC by Sectigo, which have since been revoked after we reported them. AMCERT,LLC corresponds to a company registered in Armenia that doesn’t seem to have an online presence – quite unusual for a purported software developer.

Authentication

In order to use a RedLine panel, affiliates must first authenticate. Figure 2 shows the login prompt.

The RedLine panels we analyzed use GitHub repositories, like the one in Figure 3, as dead-drop resolvers for their authentication servers. The address of this repository is hardcoded in the panel, but it is not the same for all versions of the panel. Finding and removing several of these repositories in cooperation with GitHub is what enabled us to temporarily disrupt RedLine operations in April 2023. While the removal did not affect the malware’s backend, it forced the operators to distribute new versions of the panels. For a short while after the disruption, they moved the dead-drop resolvers to Pastebin, before choosing to use their own domains in May 2023, as described in our joint talk with Flare at Sleuthcon 2023. In the latest version of the RedLine panel, the threat actors abandoned the dead-drop resolvers completely and simply used a hardcoded URL https://fivto[.]online/secure-api/. More information on the dead-drop resolvers can be found in the Network infrastructure section.

By running the backend server components in a virtual network, we managed to create affiliate accounts and authenticate with our own instance without having to buy a subscription.

The first screen shown to affiliates upon logging in, seen in Figure 4, is filled with ads. While we do not know the exact nature of the ads served by the real authentication servers, we were able to create some in our own instance of the backend server for demonstration purposes. The backend server doesn’t host the actual images present in those ads, only their URLs.

The Black Lists tab allows affiliates to ignore incoming data by country, IP address, Build ID, or HWID (a unique ID computed from a victim machine’s domain name, username, and serial number). Regardless of the exclusions selected here, samples of RedLine Stealer all contain code to prevent execution if the locale is set to one of the following countries: Armenia, Azerbaijan, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Tajikistan, Uzbekistan, Ukraine, and Russia.

The Telegram tab, shown in Figure 5, allows affiliates to configure a Telegram bot to post stolen data to specific chats or channels. The affiliate must provide a valid API token for the bot, and then can select which entries will be shared based on the country, Build ID, OS version, and domains found in cookies or saved logins. The bot can also be configured to share the full logs or only specific information as defined in the Message Format field, and to share statistics with the selected recipients (see Figure 6).

Creating malware samples in the front end

The Builder tab, shown in Figure 7, allows affiliates to create new RedLine Stealer samples by providing a RedLine panel server address, a Build ID, an error message to display, and an image to be used as the icon for the created sample. These last two are optional, with the image serving as the icon of the software RedLine is impersonating, while the error message can be used to mislead the victim as to why the expected application wasn’t started.

The Build ID is used as a campaign identifier and is sent by the samples along with stolen information. While some previously leaked versions of the RedLine panel included an executable to create builds locally, in newer versions this is performed by the backend server. This change makes any leaked or cracked RedLine panel much less useful since affiliates won’t have the ability to create samples to use with it. We describe the build process in the RedLine.Nodes.LoadBalancer section.

RedLine backend

The RedLine backend we analyzed in 2023 consists of two modules. The first one, named RedLine.Nodes.DbController, manages affiliate and advertisement data. Despite its name, this module doesn’t use a traditional database, but rather stores records as Protobuf-encoded objects in individual files, with a specific subdirectory for each type of data. The second module, named RedLine.Nodes.LoadBalancer, functions as the server and provides most of the functionality used by the RedLine panel.

We also found a module called RedLine.MainServer, which is probably the ancestor of RedLine.Nodes.DbController and RedLine.Nodes.LoadBalancer. In later versions, it was split off as a separate module that handles user and advertisement data.

In the 2024 version of the backend, DbController and LoadBalancer have been replaced by a single module named Nodes.Api.

RedLine.Nodes.DbController

In DbController, affiliate data is represented by a class named ClientData, detailed in Table 1.

Table 1. Description of ClientData properties

This is mostly straightforward but presents a few interesting quirks, mainly the way passwords and lifetime licenses are handled.

Looking at the code used to authenticate affiliates (shown in Figure 8) makes it obvious that passwords are stored in cleartext. The submitted password is compared directly to the stored one without any hashing function being involved.

Figure 9 shows that a lifetime license, which affiliates can buy for US$900, is represented by setting the expiration date of a given license to any date after 2025. This is alternatively referred to as a Pro License elsewhere in the code.

RedLine.Nodes.LoadBalancer

As seen in Figure 10, the LoadBalancer module listens on port 8778. This screenshot also shows the handlers defined in the MainPanelService WCF contract. The handlers that are related to affiliate and advertisement data – namely OnSignInInternal, OnConnect, OnCheckExpire, and OnGetPartners – delegate requests to the corresponding handler of DbController. The OnCheckConnect handler is used by the Redline panel to check whether its C&C server is reachable from the exterior. The rest of the handlers all relate to the creation of malware samples.

Sample creation in Redline backend

Since it was first documented in 2020, RedLine Stealer has been rewritten to use the WCF framework, and later a REST API, for network communication. As seen in Figure 11, the internal name for these rewritten versions appears to be RedLine.Reburn.

To create samples of the RedLine Stealer malware, the OnCreateLastBuild handler shown in Figure 10 uses the CreateBuild method from the custom VSBuilder class. When a CreateBuild request is received, the cleartext password for the affiliate’s account is logged to the console. This shows a casual disregard for well-known security practices.

If in the request no port is specified for the C&C server, the builder defaults to port 6677. When building a sample, the code in Figure 12 is used to derive a token from the campaign’s Build ID and the affiliate account’s Build Key. We believe this corresponds to the value of the ns1.Authorization header used in communication between the samples and panel. This header seems to be used by the panel to filter out connections from samples not created by the current account.

The VSBuilder.CreateBuild method uses a local C# solution to create samples. Some of the source files are read into memory to replace specific values before being written back to disk. While we were unable to collect the project’s files, the decompiler output for this method along with that of a RedLine Stealer sample provide enough context to understand that the modified values are:

• C&C address (encrypted),
• Build ID (encrypted),
• fake error message (encrypted),
• decryption key,
• flag to indicate whether to send stolen information in parts or all at once,
• authentication token, and
• assembly name.

Once these values are replaced, Visual Studio is invoked to build the project.

If the affiliate has selected the corresponding option, and has a lifetime license, the compiled executable is obfuscated with the commercially available Babel Obfuscator. In the 2024 version, obfuscation is implemented for all users and is done via .NET Reactor instead.

Finally, a self-signed certificate is generated with the code from Figure 13, and used to sign the executable. The fields of its Distinguished Name (DN) are filled with random dictionary words. The certificates generated this way use the hardcoded password 123321 and have a validity period extending from seven days before their generation to 10 years after.

The LoadBalancer module also provided an OnCreateClipper handler. As the name suggests, this was used to generate clipboard hijacking malware; in this case, it was used to hijack cryptocurrency transactions by replacing wallet addresses in the clipboard with those of attacker-controlled wallets. This functionality has been removed in the latest versions of the Redline backend.

Interestingly, the Builder class also contained dead code to generate a malware sample from a stub executable. We believe this was a leftover from the method used to generate previous versions of RedLine Stealer. The latest version of the Redline backend does not contain the code anymore.

Another handler, named OnSignFile, allows affiliates with lifetime licenses to sign arbitrary files with a certificate located on the backend server. We were unable to collect this certificate, but have reason to believe that it may be the same certificate used to sign RedLine panels, since it has also been used to sign a large number of RedLine Stealer and other malware samples. Another likely candidate is the certificate with the thumbprint 28F9A8E7601F5338BF6E194151A718608C0124A8, issued to Hangil IT Co., Ltd. This, likely stolen, certificate has been used to sign many RedLine Stealer samples and other malicious files. It has already been revoked.

RedLine.MainServer

The RedLine.MainServer module combines some of the functionality of the two previous modules with a GUI that allows the admin to easily manage affiliate accounts and advertisement data. Despite this added functionality, multiple factors indicate that this version of MainServer is probably an ancestor of LoadBalancer and DbController rather than a successor:

• MainServer samples are compiled with an older version of the .NET framework (4.6.2 vs 4.8).
• The assembly’s copyright year is 2020 instead of 2021.
• Some MainServer samples do not contain functionality for advertisements.
• The main WCF service’s contract (MainPanelService) does not include the IsAlive handler that is present in the same class as LoadBalancer. This handler is used by all the most recent RedLine panels we have analyzed.

Note that in later versions of the RedLine backend, the GUI administration panel has been split off into its own module also named MainServer.

The examined version of the GUI gave us interesting insight into RedLine management. It provides a form to create and edit affiliate account data, as shown in Figure 14. The fields correspond to the ClientData class described previously.

A similar form, in Figure 15, exists to manage advertisements.

Finally, the rudimentary dashboard in Figure 16 gives the operator an overview of license sales.

Nodes.Api

Analysis of samples shared by Dutch law enforcement shows that in the latest RedLine versions, the functionalities of the LoadBalancer and DbController modules have been combined into a new one named Nodes.Api. This backend module is packaged as a single-file .NET application and uses the WebApplication class from ASP.NET to provide the REST API used by the panels. As seen in Figure 17, the module handles requests sent to both RedLine (fivto[.]online) and META (spasshik[.]xyz) servers, showing that the two infostealers share the same operators.

Table 2 lists the endpoints exposed by the REST API along with the corresponding WCF handler from previous versions.

Table 2. RedLine endpoints

Unlike the 2023 versions of the backend we originally analyzed, lifetime licenses no longer appear in the code of the new module. Since licenses of this type were still being sold, we believe they were likely handled by simply setting their expiration to a date far in the future. Functionality related to code signing has also been completely removed.

Samples created by the Nodes.Api module are obfuscated using .NET Reactor if it is present at the hardcoded path C:\Program Files (x86)\Eziriz\.NET Reactor\dotNET_Reactor.exe. This corresponds to its default installation path.

Beyond the aforementioned changes, features that were present in older versions behave much as they did before. However, a couple of interesting functionalities have been added.

Affiliate management

Three endpoints used to manage affiliate data are exposed. These appear to be meant for use only by the operator, but this is handled in two very different ways. The /secure-api/updateDb endpoint causes the server to reload user data from disk. Figure 18 shows the update method invoked by the MainServer module whenever a new entry is created or modified. The operation is only performed by the Nodes.Api module if the request comes from a loopback address, which prevents Panel users from using it.

The other two endpoints, /edk92hd/createRandom and /edk92hd/renew, use a different method of mitigating unauthorized access. As seen in Figure 19, they can only be invoked if the request contains an sko3s header set to a seemingly random hardcoded value.

Backups

The other interesting feature is the ability to back up affiliate data, functionality that was missing in the older versions of the code. Since this data is stored in a series of files on disk, the backup is a ZIP archive of the directory that contains the files. This archive is then sent via Telegram using a hardcoded Chat ID shown in Figure 20.

Links with META Stealer

META Stealer is the other infostealer disrupted alongside RedLine Stealer. According to an article by Kela, META Stealer was first announced on cybercrime forums in March 2022. The author claimed that it used the same code as RedLine Stealer and provided the same functionality and panel. META Stealer hasn’t been investigated as thoroughly as RedLine Stealer, but our research indicates that the claims it initially made are accurate. Based on the source code, the two infostealers are most probably made by the same person. While there are some differences, most of the code is the same with instances of the string RedLine replaced by Meta. As can be seen in Figure 21, the code that is commented out to be inactive in RedLine is present in META.

As we already mentioned, another piece of evidence pointing towards RedLine and META having the same operators is seen in the code of the Nodes.Api module, which handles requests sent to both RedLine and META servers, as shown in Figure 17.

We also found two samples of the META panel signed with a certificate that was also used to sign samples of the RedLine panel. This panel used the same dead-drop resolver schemes, going as far as using the same AES and RSA keys, only with a different GitHub repository. Additionally, as Figure 22 shows, a comparison of the panels used by META and RedLine reveals only minor cosmetic differences.

META Stealer uses the same combination of DNGuard and BoxedApp to protect its panel from analysis. However, META’s authentication process could not be completed when run against our instance of the RedLine backend from 2023, so it seems to have been modified from that of RedLine.

Network infrastructure

By parsing samples of RedLine that we detected between November 30^th, 2022 and March 23^rd, 2023, we were able to identify over 1,000 unique IP addresses used to host RedLine panels. Figure 23 shows the geographical distribution of these hosted panels. Russia, Germany, and the Netherlands each account for about 20% of the total, while Finland and the United States each represent around 10%. Even though this data only comes from samples targeting our customers, we believe it paints a fairly accurate picture with regards to the overall distribution of the malware.

We were also able to identify multiple distinct backend servers. It’s likely that there were more in the dead-drop resolvers that we couldn’t decrypt. Based on their geographical distribution, shown in Figure 24, the servers are mainly located in Russia (about a third of them) while the UK, the Netherlands, and the Czech Republic each represent around 15% of the servers we identified.

Dead-drop resolvers

As we already mentioned, the 2023 versions of the RedLine panel used GitHub repositories as dead-drop resolvers for its authentication servers. These repositories all contained a file with an encrypted list of server addresses. The file was encrypted using a custom module simply named RSA. In one version of this module, shown in Figure 25, the list was encrypted using AES-CBC with a hardcoded key and IV, and saved to a file named nodesUpdate.config.

More recent versions, which were in use at least until mid 2024, employ RSA encryption instead (see Figure 26), with the output written to a file named nodes.config. In this case, the key is read from a file rather than being hardcoded in the executable. However, the class used to perform RSA encryption is also present in the LoadBalancer module, with hardcoded default values for the public and private keys. Note the use of “nodes” again to refer to the backend servers.

We have observed GitHub repositories that contain at least one such encrypted file. Along with the keys shown above, we were able to extract an RSA private key from a sample of the panel. This allowed us to obtain lists of authentication servers, which we shared with law enforcement agencies.

Conclusion

Before Operation Magnus, RedLine was among the most widespread of infostealer malware with a very large number of affiliates using its control panel. However, the malware-as-a-service enterprise seems to be orchestrated by only a handful of people, some of whom have been identified by law enforcement.

META Stealer, RedLine Stealer’s clone and most probably created by the same threat actors, made its entry into the field in 2022. It does not appear to be a successor to RedLine, since the development of both families has continued in parallel. It was taken down alongside RedLine Stealer.

Our in-depth analysis of the behind-the-scenes parts of RedLine – its control panel and backend – hopefully provides a more holistic understanding of this threat.

For any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com. 

ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the ESET Threat Intelligence page.

IoCs

A comprehensive list of indicators of compromise (IoCs) and samples can be found in our GitHub repository.

Files

Network

Note that the domains in the table below have been seized by law enforcement. The other panel and server addresses that we collected were shared with law enforcement agencies on a regular basis to help in their actions and are no longer active.

MITRE ATT&CK techniques

This table was built using version 15 of the MITRE ATT&CK framework.