Alex Morgan — Threat Intelligence Analyst
Key Takeaways
- Utilization of malicious document attachments for initial access
- Employing process injection techniques to evade detection
- Leveraging Command and Control via Discord channels for data exfiltration
Executive Summary
During our investigation of a recent incident involving the Redline Stealer, we observed a sophisticated attack chain designed to harvest sensitive user credentials and financial data. The actor utilized social engineering tactics to distribute malicious document attachments that act as the entry point into targeted environments. Our analysis revealed that the actors employed various MITRE ATT&CK techniques throughout the attack lifecycle, from initial access through to data exfiltration.
Initial Access
The attack began with a phishing email that contained a Microsoft Word document containing macros. When the document was opened, the victim was prompted to enable macros, which initiated the download of the Redline Stealer binary from a remote server. The URL used for this was identified as http://malicious.site/stealer.exe. Upon download, the binary was executed directly, leading to a rapid compromise of the target system.
Execution & Persistence
The infected machine executed the executable without raising alarms due to its evasion capabilities. Upon execution, our analysis revealed that the sample utilized process hollowing techniques to inject into legitimate processes like explorer.exe. This was observed as it created a temporary folder at C:\Users\Public\AppData\Temp\ to store its payload, thus bypassing common security checks. Registry modifications were made at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run to ensure persistence after reboots, allowing the implant to retain foothold on the infected system.
Command and Control
Command and Control (C2) communication was established with a domain that appears to be a compromised Discord channel. The traffic patterns indicated that the malware was able to send data exfiltrated from the victim’s machine directly to the actor’s server. The use of Discord as a C2 mechanism is notable as it allows for encrypted communication and may evade detection by traditional network security tools. Additionally, the malware beaconed every few minutes to check for command updates or further instructions from the C2.
Lateral Movement & Discovery
Once the implant had established itself, the attacker began to perform lateral movements across the network. Utilizing Windows Management Instrumentation (WMI) and PsExec, the actor was able to deploy additional instances of the Redline Stealer across other connected machines within the same network segment without triggering security alarms. The malware was observed scanning for local user accounts and sharing this information back to the C2 server, which helped the actor expand the attack surface.
Impact & Objectives
The primary objectives of the actor were to compromise user credentials, mainly targeting credentials stored in browsers and various applications. The harvested data was subsequently exfiltrated through the established C2 channel, evidenced by large outgoing traffic peaks correlating with scans on the network. The impact on organizations affected by this campaign can lead to further breaches as credentials can be reused across multiple services.
MITRE ATT&CK Mapping
- T1566 – Phishing: The initial delivery method involved phishing emails with malicious attachments.
- T1027 – Obfuscated Files or Information: Use of obfuscation techniques to hide the true nature of the application.
- T1055 – Process Injection: Employed process hollowing to evade detection by injecting into a legitimate process.
- T1219 – Remote Services: Utilized remote services for lateral movement.
- T1071 – Application Layer Protocol: Leveraged Discord for C2 communication.
Detection Opportunities
- Monitor for unusual outbound traffic patterns, especially to domains associated with Discord.
- Implement rules to detect the creation of suspicious executables in temporary folders.
- Review registry modifications for persistence mechanisms related to unknown applications.
Analyst Notes
This incident demonstrates the continued effectiveness of social engineering and the reliance on well-known applications for command and control operations. Organizations should ensure they conduct regular training on phishing and invest in layered security to detect and respond to such attacks rapidly. Additionally, incorporating EDR solutions could provide critical visibility and threat detection capabilities to mitigate the risks posed by threats like Redline Stealer.
Source: Original Report