In early March 2020, Proofpoint researchers observed an email campaign attempting to deliver a previously unknown malware which the malware author calls RedLine Stealer. This name (not to be confused with the FireEye tool “Redline”) can be seen in the forum advertisements, code comments, and command and control (C&C) panel.
The emails in this campaign abused the [email protected] brand, which is a distributed computing project for disease research, while also asking the recipient to help find a coronavirus cure. This campaign primarily targeted healthcare and manufacturing industries in the United States.
RedLine Stealer is new malware available for sale on Russian underground forums with several pricing options: $150 lite version; $200 pro version; $100 / month subscription option. It steals information from browsers such as login, autocomplete, passwords, and credit cards. It also collects information about the user and their system such as the username, their location, hardware configuration, and installed security software. A recent update to RedLine Stealer also added the ability to steal cryptocurrency cold wallets.
RedLine Stealer is written in C#. While not particularly sophisticated, we were surprised by the high quality and readability of the code. Notably with its proper use of delegates, class inheritance, and data models along with using SOAP for its C&C channel. This indicates a moderate-to-high level of experience with the .NET programming language from the developer. RedLine Stealer also appears to be under active development as shown by the recent introduction of new features.