Additionally, the loader also executes a.
IP STEALER LINK ARCHIVE
This loader then executes two more self-extracting archive executables that are responsible for decrypting a shellcode to load the Amadey Trojan and two instances of the RedLine Stealer malware onto the system. When a user runs a self-extracting archive, the contents of the archive are extracted to a specified location on the system.įigure 3 shows a simple flow diagram of how RedLine Stealer uses a loader in the form of a self-extracting archive (.exe) to initiate its infection. This self-extracting archive is a type of compressed file that contains multiple files and can be executed as a program.
The Splunk Threat Research Team found an interesting RedLine Stealer Loader that was compiled as Win32 Cabinet self extractor executable (wextract) ( 1) ( 2). In the following section, we explore a recent RedLine Loader used, the defense evasion technique and RedLine Stealer capabilities. The use of these legitimate platforms allows threat actors or adversaries to evade detections or to blend in its C2 communication with other normal network traffic so security solutions will not raise any red flags or detection alerts. Based on the list below, the most commonly abused legitimate file sharing domains are GitHub, Dropbox, Discord, Bitbucket, OneDrive and Google Drive. Figure 2 shows the top 20 domains that RedLine Stealer used to host its malware. Using the URLhaus dataset, we can also learn that RedLine Stealer abuses several known legitimate file/code sharing and collaboration platforms for its campaigns. Based on URL tags, we can see that this Trojan is also bundled, downloaded or dropped by other malware like Amadey or SmokeLoader.
Figure 1 shows the list of URLs from the data related to RedLine Stealer. To gain more insight on how this malware executes its campaign, the Splunk Threat Research Team (STRT) collected 90 days of URL data from URLhaus and used Jupyter Notebooks to analyze the dataset to identify trends of the RedLine URL links. One common initial access technique that this Trojan Stealer uses is a phishing URL link. The operators behind RedLine Stealer use several techniques to gain initial access to their victims. In this blog post, the Splunk Threat Research Team provides a deep dive analysis of this threat and valuable insights to enable blue teamers to defend and detect this malware variant.
IP STEALER LINK SOFTWARE
This malicious software has been in the top malware sample shared for months on anyrun statistics reports as well as in Malware bazaar. Amadey malware is a botnet that is being used now to distribute RedLine malware to steal data such as browser credentials, crypto wallets and even credit card information.
IP STEALER LINK DOWNLOAD
Recently this year (May 10, 2023), there was a RedLine campaign found by stormshield that used a malicious chrome extension that will download several malware like Smoke Loader and Amadey Trojan. Many industries received these malicious campaigns, but the most impacted was the Healthcare and manufacturing sectors. In 2020, there was a RedLine campaign that targeted both enterprise and personal devices. Since it was released, threat actors and adversaries have leveraged RedLine Stealer because of its availability and flexibility for stealing credentials that can cause financial loss and data leakage. It is typically distributed through phishing emails, social engineering tactics, and malicious URL links. RedLine Stealer is a malware strain designed to steal sensitive information from compromised systems.
0 kommentar(er)
