Trojan:Win32/RedLine.MC!MTB

The Trojan:Win32/RedLine.MC!MTB is written in C# and runs inside the Common Language Runtime of the .NET Framework. Redline does not have a fixed delivery method. Infection vectors shift across campaigns. One persistent operation uses thousands of GitHub accounts to star and fork repositories containing password-protected archives of the malware. These archives rely on the trust associated with the platform to avoid rejection by antivirus software. Another method uses malvertising redirects that lead to pages mimicking legitimate software updates. These pages contain ClickFix prompts: the user is instructed to press the Windows key and R, paste a provided command, and press Enter. The command downloads and launches the RedLine loader. It has also been encapsulated inside MSIX installer packages and Microsoft OneNote files. Both formats are often permitted by email gateway policies. 

When the loader runs, it creates a suspended process from a legitimate Windows binary. The most common targets are Regsvcs.exe and vbc.exe. The loader allocates memory inside that suspended process, writes the RedLine payload into that memory space, and resumes the thread.  

Trojan:Win32/RedLine.MC!MTB now runs under the name of the trusted Windows binary. This process hollowing technique allows the payload to evade scrutiny from some monitoring tools. All operational parameters are stored inside a class named Arguments. This class contains the C2 IP address, the Botnet ID used to tag stolen data with the buyer’s identifier, and the cryptographic keys required for exfiltration. The configuration is not stored in plain text. The malware reads a Base64 string, applies an XOR operation using a fixed key, and decodes the result with a second Base64 pass. Historical samples have used the keys “Reshipment” and “Margented”. If the ciphertext is represented as C, the XOR key as K, and the resulting plaintext as P, the operation is expressed as P_i = C_i XOR K_{i mod L}, where L is the length of the key. This routine prevents the storage of human-readable addresses on disk and in initial memory dumps.  

Many variants are further protected by the VMProtect packer. VMProtect virtualizes sections of the executable, translating the original bytecode into a custom instruction set that is interpreted at runtime. This complicates static analysis. RedLine extracts stored credentials from both Chromium-based and Gecko-based browsers. For Chromium browsers: Google Chrome, Microsoft Edge, Brave, and Opera, Redline navigates the user profile directory to locate the Local State file and the SQLite databases Login Data, Web Data, and Network/Cookies. The Local State file contains an encrypted master key inside the os_crypt JSON object. RedLine calls the Windows CryptUnprotectData function. This function uses the current user’s DPAPI credentials to decrypt the master key. The malware then copies the SQLite databases to the %Temp% directory to avoid file locking conflicts with the active browser process. It iterates through each row of the database and applies AES-GCM decryption to the encrypted credential blobs using the decrypted master key. The same routine is applied to credit card entries stored in the Web Data database and to session cookies stored in the Cookies database.  

For Mozilla Firefox, the malware targets the logins.json file, which contains encrypted credentials, and the key4.db file, which stores the master password database. RedLine uses Mozilla’s own PK11 decryption routines, invoked through the .NET Framework, to extract the plaintext credentials. RedLine scans the file system for cryptocurrency wallet artifacts. It searches the %AppData% directory and its subdirectories for specific file names and folder structures associated with more than 40 browser-based extensions and standalone desktop wallets. The malware targets .wallet files, configuration storage files, and metadata folders that contain seed phrases or private keys. Specific targets include Armory, which stores .wallet files in %AppData%\Armory; Atomic Wallet, which stores configuration and local storage in %AppData%\atomic; Exodus, which stores exodus.wallet in %AppData%\Exodus; Electrum, which stores wallet files in %AppData%\Electrum\wallets; Jaxx Liberty, which stores local storage data in %AppData%\com.liberty.jaxx; and Coinomi, which stores account metadata in %AppData%\Coinomi.  

Redline compresses these files and prepares them for exfiltration. It extracts credentials from FTP clients and VPN software. It locates FileZilla’s sitemanager.xml file, typically stored in %AppData%\FileZilla. It parses the XML nodes for Host, Port, User, and Pass and decrypts the base64-encoded password field. For NordVPN, it navigates to %AppData%\Local\NordVPN and retrieves the user.config XML file. It parses the settings nodes to locate the RememberfulToken or similar nodes that store encoded session credentials. The malware collects system metadata to help the threat actor assess the value of the compromised host. It calls the .NET Graphics.CopyFromScreen method to capture the current desktop. The image is exported as a PNG file. It queries Windows Management Instrumentation for the Win32_Processor, Win32_ComputerSystem, and Win32_VideoController classes to retrieve CPU model, RAM capacity, and GPU model. It enumerates installed software by reading the Uninstall registry key under HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER. It identifies running processes by calling Process.GetProcesses. It also enumerates installed security products by querying the root\SecurityCenter2 namespace.  

This profiling data is combined with the stolen application data and staged for transmission. C2 communication is implemented through Windows Communication Foundation. Redline uses the net.tcp protocol to establish a persistent binary stream to the threat actor’s server. The communication is structured around a set of numbered endpoints. Endpoint id1 and id2 transmit heartbeat verification packets. Endpoint id3 and id4 send host telemetry: username, hostname, operating system version, system locale, and geolocation derived from the public IP address. Endpoint id5 transmits the encoded PNG screenshot. Endpoint id6 transmits the list of detected security products. Endpoint id8 transmits the inventory of installed software. Endpoint id9 transmits the list of running processes. Endpoint id11 transmits all decrypted browser credentials, cookies, and autocomplete form data. Endpoint id12 transmits the extracted FileZilla credentials. Endpoints id14 through id21 are reserved for files collected by the configurable file grabber module. The C2 server can also issue remote commands.  

These commands include instructions to download and launch a secondary payload, run arbitrary shell commands through cmd.exe, or update the malware configuration with new target directories or a new C2 address. 

Network indicators observed across multiple RedLine campaigns include IP address 65[.]21.213[.]208 on port 3000, IP address 194[.]36.177[.]124 on port 39456, IP address 207[.]32.217[.]89 on port 14588, IP address 77[.]91.124[.]251, IP address 77[.]246.101[.]46, IP address 192[.]169.69[.]26, and IP address 79[.]132.128[.]77. The domain stocktemplates[.]net has been observed serving second-stage payloads. File system artifacts commonly observed after infection include renamed binaries placed in %AppData%: winlogon.exe, chrome.exe, svchost.exe. The %Temp% directory contains binaries named sihost32.exe, services32.exe, 123.exe, and 321.exe.  

The PowerShell script SECT_v4 has been used for initial download staging. A directory named fastpatch has been created in %AppData% during ClickFix campaigns. Registry persistence is achieved through a value added to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. This value points to a renamed binary in %AppData%. Scheduled tasks are created through schtasks.exe to restart the malware at every user logon. Some variants run the PowerShell command Add-MpPreference -ExclusionPath "C:\Users\Public" to exclude that directory from Windows Defender scans. Manipulation of the Image File Execution Options registry key has been observed at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options. This forces Redline to run alongside legitimate Windows images.