Dissecting Redline Infostealer traffic — a SOAPy endeavour
What is Redline Info Stealer?
RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. (Source: https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer)
Why you should care
Currently Redline is one of the most commonly used infostealers — possibly due to its ease of use and of course since there are a lot of cracked versions circulating in the internet. Stolen credentials are then sold for mostly around 10$ at underground forums like russianmarket
Due to the fact that those credentials can be obtained cheaply, they are a neat way for attackers to get an initial foothold within networks if passwords are reused for VPN access for example.
Currently, the operators of Redline instances enjoy a cozy life. Sending out malspam, collecting credentials and then putting them up for sale. Imagine for a short period of time, that you are such an operator and all of the sudden you are receiving a lot of fake credentials. And I really mean A LOT of fake credentials. This would be a pretty tough job to sort out the junk before putting it up for sale, right? Of course you care about your reputation on those underground markets!
Let’s learn to speak Redline!
As already mentioned, there are already a lot of cracked versions out there which do not only help script kiddies but also security researchers. In this case, vx-underground is there to help us out!
After spinning up a Windows VM, we unpack the archive, start the panel and create our first Redline client which is able to reach our panel locally.
Hint: There are some obstacles in the way to get the panel running correctly. Since this tutorial is not aimed towards script kiddies who are trying to start their first malspam campaign I will not reveal them. If you are trying to follow this tutorial, contact me on Twitter @hariomenkel and I might help you if I see that you are doing it for educational purposes.
Once we have created our own client.exe, you will see that after running it you won’t receive any logs and instead the file keeps deleting itsself again and again. Frustrating while debugging, right? Don’t worry, dnspy got you covered!
Once you open up the RemoveCurrent function, you will see that it is used to delete itsself from the file system. Fortunately, dnspy has the option to edit the corresponding function! I changed mine that it looked like this:
Do not forget to save the file after your changes if you want to come back at a later time! If the patching was done correctly and you were able to remove the initially mentioned obstacles, your client should now be able to produce logs and send it to your panel!
But when you start interacting with the log entry, you will quickly notice that besides those general information there is nothing in there! No cookies, no passwords, NO NOTHING! How disappointing. But why?
Well, it turns out that this function errors out on VMWare Workstation and stops the rest of the grabbing functionality:
In detail, it stops to work once it is parsing this entry and opening the corresponding “shell\open\command”:
After you backed up this item and restarted the client, you will notice that you are now getting correct logs!
Awesome! Now let’s see if we can manipulate the data in some way before it is transmitted to the panel! For this reason, I had a look at the UserLog class and set a breakpoint on line 168. This gave me the opportunity to manipulate the values with dnspy before they are sent to the server.
And now, let’s see if our changes arrived correctly at the panel:
Neat! So, new HWID means that a new entry is created! With this knowledge we can start to implement our own client which is able to speak with Redline.
When we look at the traffic capture taken with Wireshark, we can see that Redline is talking to its server via SOAP *unencrypted*. Also neat.
Let’s see if we can come up with a Python implementation of that protocol. In our first attempt, we will just copy the request from our Wireshark window and see what will happen
<s:Envelope xmlns:s=”http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetSettingsResponse xmlns=”http://tempuri.org/"><GetSettingsResult xmlns:a=”v1/Models” xmlns:i=”http://www.w3.org/2001/XMLSchema-instance"><a:BlacklistedCountry xmlns:b=”http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:GrabBrowsers>true</a:GrabBrowsers><a:GrabFTP>true</a:GrabFTP><a:GrabFiles>true</a:GrabFiles><a:GrabImClients>true</a:GrabImClients><a:GrabPaths xmlns:b=”http://schemas.microsoft.com/2003/10/Serialization/Arrays"/></GetSettingsResult></GetSettingsResponse></s:Body></s:Envelope>
Aaaand we get a response with the configured settings! Yeah! Next, we will implement some basic setting parsing with the help of xmltodict library:
Now that we got the settings, we will be later able to adapt to different configs and only send what’s really needed to better blend in with normal stolen credentials. Neat.
For our next trick we will copy the content of the large POST into our script and see if it creates an entry:
Now let’s have another look at the panel:
Turns out that the data is accepted! Neat. Now, we take the XML we copied earlier and beautify it with help of https://codebeautify.org/ to better understand what is in there and build our own payload!
Now that we have our needed knowledge in place, we can create our own spamming tool:
As always you can find the corresponding code on Github: https://github.com/hariomenkel/RedlineSpam/