Researchers, in collaboration with law enforcement, analyzed previously undocumented modules of the RedLine Stealer malware-as-a-service platform, identifying over 1,000 unique IP addresses hosting its control panels.
RedLine Stealer’s 2023 iterations leveraged the Windows Communication Framework for inter-component communication, whereas its 2024 counterpart transitioned to a REST API, while code and backend analysis reveal a shared creator between RedLine Stealer and META Stealer.
The backend architecture consists of modules that handle various operations, including RedLine Stealer activity, where an older, less obfuscated version of the RedLine panel is used to gain insights into its functionality and the overall operation of the MaaS empire.
A .NET-based malware uses WCF for communication between components, enabling analysis of obfuscated code through shared data structures. The panel, heavily obfuscated but signed by AMCERT, LLC, provides affiliates with a GUI to manage campaigns, collect information, and integrate with Telegram for selling stolen data.
The panel requires GitHub repositories for authentication, which are used as dead-drop resolvers for the authentication servers. It also uses a hardcoded URL for authentication, which allows affiliates to configure Telegram bots to post stolen data to specific chats or channels.
It’s frontend enables affiliates to create malware samples by specifying a panel server address, Build ID, error message, and icon, while the backend comprises modules like Nodes.Api handles sample generation and data management.
By storing affiliate passwords in plaintext, it potentially compromises security, as lifetime licenses are implemented by setting expiration dates beyond 2025. The LoadBalancer module handles network requests, delegating affiliate and advertisement tasks to DbController while also managing malware sample creation.
The backend uses WCF and REST APIs for network communication, which generates malware samples using a custom builder, replacing placeholders like C&C addresses and decryption keys.
The generated samples can be obfuscated and signed with a self-signed certificate, which previously supported clipboard hijacking and signing arbitrary files, but these functionalities have been removed.
A RedLine MainServer module is an older version of the backend, likely a precursor to LoadBalancer and DbController, which features a GUI for managing affiliate accounts and advertisements, providing insights into RedLine’s administration and operations.
It updates its backend module Nodes.Api, combining functionalities and using REST API for panel communication, as new features include managing affiliates with access control and creating backups via Telegram.
META Stealer, a recent infostealer, shares significant code similarities with RedLine Stealer. Both likely originate from the same developer, utilizing identical infrastructure, protection methods, and panel designs.
RedLine malware uses GitHub repositories as dead-drop resolvers for its authentication servers by encrypting server addresses using custom RSA or AES encryption with hardcoded keys.
ESET researchers identified over 1,000 unique IP addresses hosting RedLine panels, primarily in Russia, Germany, and the Netherlands, whereas backend servers were mainly located in Russia, the UK, the Netherlands, and the Czech Republic.
