- Home
- Alerts & Advisories
- Advisories
- Defending Against RedLine Stealer Malware
Advisory
Defending Against RedLine Stealer Malware
4 February 2025
RedLine Stealer is a malware-as-a-service (MaaS) info-stealer that is designed to harvest sensitive information from compromised machines such as login credentials, browser autocomplete data and financial details such as credit card information.
New variants using Lua bytecode to enhance stealth and evasion capabilities have also been observed in the wild. The purpose of this advisory is to provide readers with information pertaining to this threat and the measures that can be taken to protect both individuals and organisations from falling victim.
How It Spreads
The RedLine Stealer malware is commonly spread through the following means:
Phishing emails with urgent requests containing malicious attachments, or links that spoof a reputable company.
Embedding the malware into an application that is disguised as a legitimate-looking application such as an antivirus software or an operating system update. The threat actor distributes this application and entices the victim to run it as a legitimate application/update required for their systems.
Exploiting popular online repositories such as Github. The malware has been observed to masquerade as game cheating tools on Github. While installing the game cheat, victims are encouraged to further distribute it to unlock the full capabilities of the game cheat.
How To Protect Yourself
Individuals and organisations are advised to take the following measures to strengthen your cybersecurity posture and boost your online defences to protect yourself and your organisation against the RedLine Stealer malware.
For Individuals
Store passwords securely, such as in an encrypted password manager rather than in web browsers
Refrain from downloading pirated software applications and only download official software applications from trusted sources such as Microsoft and Adobe.
Update systems, applications and software to the latest version and download the latest security patches.
Install anti-virus/anti-malware software and keep the software (and its definition files) updated. Perform a scan of the systems and networks regularly and scan all received files.
Report to your organisation's IT/security team or the relevant authorities once you notice suspicious behaviours such as unauthorised login attempts or unsolicited transactions.
For Organisations
Organisations with cybersecurity capabilities may want to monitor dark web forums and Telegram channels for any mentions of your organisational data, systems or credentials for sale as this might indicate a possible compromise within your organisation.
Disable all ports and protocols such as Telnet, Microsoft RPC, FTP, etc if they are not essential for business purposes.
Isolate devices that use legacy operating systems if your organisation is unable to update these devices with security patches.
Limit privileged access to authorised personnel to reduce the risk of privileged account abuse or compromise.
Regularly monitor all user accounts and disable inactive accounts.
Enforce password updates for account owners who receive reports that their credentials may have been leaked.
Implement regular training programmes to educate employees about the latest types of phishing attacks, common phishing techniques and how to identify and respond to unsolicited, suspicious emails, URL links, and attachments. For more information on how you and your organisation can defend against cyber threats, please refer to our advisory here. [link: https://www.csa.gov.sg/alerts-advisories/Advisories/2023/ad-2023-013]
Enable logging of system events to facilitate investigation of suspicious events or issues.
Use an Effective Endpoint Detection and Response (EDR) Solution at end-users’ devices for continuous monitoring, detecting and responding of cyber threats.
Closely monitor inbound and outbound network traffic for suspicious communications or data transmissions. This includes possible Indicators of Compromise (IOCs) related to the Redline Stealer.
Indicators of Compromise
5e37b3289054d5e774c02a6ec4915a60156d715f3a02aaceb7256cc3ebdc6610 | |
https[:]//github[.]com/microsoft/vcpkg/files/14125503/Cheat.Lab.2.7.2.zip | |
lua51.dll | 873aa2e88dbc2efa089e6efd1c8a5370e04c9f5749d7631f2912bcb640439997 |
readme.txt | 751f97824cd211ae710655e60a26885cd79974f0f0a5e4e582e3b635492b4cad |
compiler.exe | dfbf23697cfd9d35f263af7a455351480920a95bfc642f3254ee8452ce20655a |
Redline C2 | 213[.]248[.]43[.]58 |
Trojanised Git Repo | hxxps://github.com/microsoft/STL/files/14432565/Cheater.Pro.1.6.0.zip |
Payload | c7a2de31d6f01d5ba962ce7ba17539d3 |
Wiper payload | 30eeb6c732a7e37cbfff0148d2c2457229fb6ef36feb0abb99e2afbfed0d1257 |
Redline stealer | 5112ff1b75d9c33d10efafcbacdb4e2116280c1f5f3e6b6a64b44279997d96ee |
loader | 8f45a89978ea72a7c3304c93cc56ac18087663ae33daa9f30f919652ba961175 |
Redline stealer | eb8a15b1a42127970e7facc6133131dcc073a201419d8cc88c3c316819d1c2a2 |
lr657198.exe | afc48eabd725325d00324625eb9035c450d730c0b07d4d5a7246cbb1a3a443eb |
zifq8846.exe | 2a4193dcb95c7307e0a4f5586446c1c4adad17733a102a40d0b9227649191ff9 |
kp356066.exe | 5f9eff953d7ca49f594a864517dfdf37950a41693e53b79aa3a5c396613031bc |
zigT1406.exe | 52a52e958a0fef6aa14f27083f2d8675a20c2148be6456cacbda149411719b92 |
it532878.exe | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
jr663319.exe | 5e82fc65d9dafc6da041e732597719aa9872bc82d8ff52c272277a1a49b8c9aa |
References:
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/redline-stealer-a-novel-approach/
https://flare.io/learn/resources/blog/redline-stealer-malware/