"Cracking Open the Malware Piñata" Series: Intro to Dynamic Analysis with RedLineStealer
Updated: Jan 16, 2022
Dynamic analysis involves running a binary and observing its behavior in a controlled environment. This can be of significant benefit because some capabilities of malware come to life only at runtime, meaning that the indicators and behaviors would not be observed if only analyzed statically.
In this iteration of my latest series, we dive into RedLineStealer. At the time of writing this blog post, MalwareBazaar shows RedLineStealer as the second most prevalent malware family in the last 14 days. The variant we're analyzing is relatively noisy, as you'll see in the content below.
If you're interested in viewing my previous posts in this series, please check them out here:
"Cracking Open the Malware Piñata" Series: Analysis Environment Setup
"Cracking Open the Malware Piñata" Series: Intro to Static Analysis with Kazy Trojan
Additionally, if you'd like to get right to the counter-hacking, scroll down to the "Pushing the Big Red Button" headling. :)
BEFORE THE BOOM
Prior to double-clicking on that badness-laden executable, there are a couple of things that need to be done to prepare the environment.
First and foremost, we need to check the networking between virtual machines. Verify that the network adapters are set to host only. From there, go into REMnux and identify its IP.
Making note of it, we return to the Windows VM and take the following steps:
Access the network adapter settings in Windows
Change the Windows IP to be on the same subnet as the REMnux IP
Input the REMnux IP as the default gateway and preferred DNS server in the Windows settings
Close all dialog boxes
Ping the REMnux VM from the Windows VM to make sure the connection is functional
This ensures that any time the Windows VM attempts to establish a network connection, the connection will be routed to the REMnux VM. This will be useful when it comes time to observing what the malware calls out to when detonating.
Next, let's grab a snapshot of the registry. RegShot is a tool originally developed in 1999 by TiANWEi but contributed to by Maddes, XhmikosR, tulipfan, and Belogorokhov Youri amongst a large cohort of others over the course of two decades. The RegShot utility enables to user to grab "snapshots" of the registry prior to and after a specific event. The utility also has a "compare" feature, which highlights the differences between the "before" and "after" shots.
To grab our "before" shot, it's as simple as:
Double-click on the RegShot executable
Click on "1st Shot," then "Shot and Save"
Once complete, name your file and where to save it
After completing the registry baseline, it's a good time to take a snapshot of the VM. This will allow you to revert the Windows VM to this state after detonating the malware. I recommend taking the VM snapshot after taking the initial registry snapshot to avoid having to repeat the process again.
To take a VM snapshot in VMWare:
Go to the toolbar at the top of the window and click on "VM"
Hover over "Snapshot"
Click "Take Snapshot..."
Name it something intuitive and click "Take Snapshot"
PREPARE THE WATCH
The environment is now configured and baselines have been captured. At this stage, we start spinning up the tools that will actively be running when the malware is executed. It's important to have these tools active prior to initiating detonation so that we capture all events that take place.
Process Hacker is one of the first tools I spin up at this point. Developed by Wen Jia Liu with help from XhimkosR and a plethora of additional contributors, it is a "task manager on steroids." The GUI is intuitive with highlighting showing which processes are spawning and terminating, modifiable columns, and additional details visible with just the hover of a mouse.
Fiddler allows you to observe and inspect HTTP/S network requests. Developed by Telerik, this tool is one of the several tools available to observe the networking capabilities of the malware once detonated.
Possible overkill, but I normally have this and Fiddler running concurrently. FakeDNS is a command-line tool available on REMnux and developed by Verisign's iDefense group. It captures all DNS requests sent to the device its running on and lists them in the terminal in real-time.
While I won't be using it in this specific scenario, Wireshark is an incredibly useful packet capture tool. Packet inspection is a very useful technique, especially when characterizing communications between a piece of malware and the infrastructure it's "calling out" to. Dissecting this information can better help paint the picture of what information the malware is sending or receiving.
Developed by Mark Russinovich as part of Windows Sysinternals, Process Monitor captures file, process, registry, and networking events all in real-time. In dynamic analysis, this is magnificent in that in catches a lot of artifacts that may no longer be present by the time an analyst goes digging for evidence. It is also very effective at painting a timeline of events.
PUSHING THE BIG RED BUTTON
Now we're locked and loaded to let the badness run rampant. Here we'll start our analysis of RedLine Stealer with a sample I've pulled from MalwareBazaar. If you're not familiar, you can check them out here. IOCs identified through this process will be summarized at the bottom of the post.
Right out of the gate, here's the evolution of Process Hacker after initial execution:
setup_x86_x64_install.exe spawns setup_installer.exe, which in turn spawns several instances of Sat19d470e8e0597fc47.exe. Process Hacker allows you to take a look at the memory strings during runtime. This can be done by right-clicking on the process of interest, clicking "Properties," navigating to the "Memory" tab, and clicking on "Strings..." Below are screenshots of what this looked like for Sat19d470e8e0597fc47.exe.
We see references to "tempuri[.]org" as well as references to "TryInitNordVPN" and "TryInitOpenVPN." Based on cursory research, the last two references don't appear to be existing open-source libraries/APIs, so these could've been developed by the malware author.
Taking a look over in fakeDNS, we have quite a few attempts to contact domains, aside from general Windows noise:
Over the course of time, the malware consistently attempted to call out to hhieuw33[.]com. We were able to take a closer look at that communication in Fiddler:
In the URL, the malware is attempting to pass some information in the parameters named "sid" and "key." Additionally, the content of the POST request is encoded in multiple layers, with the outermost layer being base64.
Moving to the RegShot comparison, output:
RegShot does an awesome job tracking everything related to the registry, and even goes as far as tracking file and folder events. We can see several that stand out in relation to the activity we've already seen, such as the keys which contain the malware executable names.
In a similar but more robust "all encompassing" ability, Process Monitor grabs a plethora of data as well:
Using some of the pre-built filters located on the toolbar makes it easier to parse through some of the data. This information could be further whittled down if necessary, but during the initial glance I prefer to keep as much digestible information as necessary. Process Monitor has a "process tree" feature, pictured below:
In this image, it can be observed that the processes associated with the malware spawn cmd.exe, which then spawns powershell.exe. There's an event in the Process Monitor data showing PowerShell with a "Process Start" operation after spawning from cmd.exe. This caught my interest because it was a unique operation in comparison with the bulk of PowerShell events. Further analysis resulted in catching this:
For those unfamiliar, Set-MpPreference is a PowerShell cmdlet associated with Windows Defender scans. The malware authors developed the specimen such that it would leverage PowerShell to disable Defender monitoring on the directory where the malware resides. In layman's terms, they're using PowerShell to tell Defender "nothing to see here" when it comes to the folder where all of the badness is. This is what could be considered an evasive maneuver.
A useful tool related to Process Monitor is ProcDOT. Developed by Christian Wojner, it provides correlation and visualization of Process Monitor and PCAP data. If there's a ton of data, the visual can seem convoluted from a zoomed out view, but it helps in showing how processes, file writes, and other events are related.
Without being able to connect back to its "mothership," the malware doesn't do much more than what's already been displayed. In order to further analyze a specimen of this nature, being reliant on a network connection, it would be useful to utilize dispensable hardware, a public network, and a VPN solution, with the intent being to do a full system restoration after detonation. This method is labor intensive and risky and not recommended for folks with minimal experience.
SO...WHAT IS REDLINESTEALER?
RedLineStealer is a credential stealer that targets web browsers. Access to the tool is available on the forums for several hundred dollars. The website HaveIBeenPwned recently added almost half a million entries related to RedLineStealer credential theft. Check it out here if you have concerns regarding your creds and whether or not they've been compromised in a malicious campaign.
Indicators of Compromise (IOCs) for RedLineStealer
File name: setup_x86_x64_install.exe
File hash: a12d74b1756d49531e21f755fef2049ab6c83626f0834cb945c781c39d40a177
File name: Sat19d470e8e0597fc47.exe (or similarly named matching the same alphanumeric pattern)
File path: C:\Users\User\AppData\Local\Temp\7zS4441B019\Sat19d470e8e0597fc47.exe
File hash: BC118B7708D56B93707A9BB025D3BF62D723B7932435A08299F59249C1C37DBE
File name: @.cmd
File path: C:\Users\User\AppData\Local\Temp\IXP000.TMP\@.cmd
File hash: 286227287F1FA79D5D5D909C2F457FC4D0AEFA6BE9E940F9A1F214D113FF88B4
File name: Sat195518974c.exe
File path: C:\Users\User\AppData\Local\Temp\7zS0437FC5D\Sat195518974c.exe
File hash: 13357A53F4C23BD8AC44790AA1DB3233614C981DED62949559F63E841354276A
File name: IXP000.TMP
File path: C:\Users\User\AppData\Local\Temp\IXP000.TMP
Directory: C:\Program Files (x86)\FarLabUninstaller\*
HKLM\SOFTWARE\Microsoft\Tracing\Sat194d446031aec9ca_RASAPI32 HKLM\SOFTWARE\Microsoft\Tracing\Sat194d446031aec9ca_RASMANCS HKLM\SOFTWARE\Microsoft\Tracing\Sat19f1c04426464e86_RASAPI32 HKLM\SOFTWARE\Microsoft\Tracing\Sat19f1c04426464e86_RASMANCS