Stealers are pieces of malicious code written with a hit and run mentality – their main purpose is to find anything of value on an infected device and exfiltrate it back to its operator. The common infection method of these nefarious viruses is either as a second stage payload or by masquerading as legitimate software. Redline Stealer is one such stealer which is commonly used by attackers to harvest credentials from unsuspecting users. The .Net based malware has recently been disguised as an installer of the popular secure messaging app, Telegram. In this blog we will unpack RedLine Stealer and show the evasive techniques it uses to bypass security products.
The Unpacking Process:
Like Most .Net malware, the fake setup file is packed and highly obfuscated. Using Detect-It-Easy, no known packer is identified, which means the unpacking should be done manually.
After decompiling the malware, we can see that most of the variable and function names were scrambled, making it harder to understand the code. In order to induce a truly miserable experience for any reverse engineering effort, the packer developer also decided to introduce control flow flattening into the packer. Control flow flattening takes the normal program control flow and modifies it using numerous if/while statements.
A mild example of the control flow obfuscation:
Packers usually employ stenography or encryption in their arsenal, this sample successfully uses both. In its resources directory lies what looks like malformed image files, but actually contain the malicious payload, which will be decoded and decrypted by a custom algorithm.
The deobfuscated image decoding function:
As can be seen in the graphic above, the payloads data is hidden inside the RGB values of the image pixels. The first four pixels contain the size of meaningful data inside the image, and the others are the actual data.
After decoding the image, the packer uses RC2 stream cipher to decipher the payload, a file named “Lightning.dll” is revealed and loaded into the memory. From the in-memory DLL file, an object named “GameCore.Core” is instantiated and in it a function named “Game” receives yet another image file from the binary’s resources directory together with a hardcoded key. The “Game” function decrypts the final payload and will later use process injection to load the malware into the memory space of another process.
The RC2 decryption function (deobfuscated):
The code responsible for loading and calling the “Game” function:
Finally, the actual payload is revealed, and to our luck, its entirely un-obfuscated, allowing us to see its C&C address in cleartext:
d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25 (Unpacked RedLine Stealer)