RedLine Stealer: Masquerades as Telegram Installer

The .Net-based malware has recently been disguised as an installer of the popular secure messaging app, Telegram. 

Stealers are pieces of malicious code written with a hit-and-run mindset, intending to find something of value on an infected computer and return it to its owner. These sinister viruses usually infect through a second-stage payload or by masquerading as legitimate apps. One such stealer is Redline Stealer, which is often used by attackers to steal credentials from unsuspecting users.

According to Minerva, RedLine Stealer employs evasive techniques to bypass the security products, which begins with the unpacking process. The fake setup file is packed and highly obfuscated, like most of the .Net malware. No known packer is found using Detect-It-Easy, implying that the unpacking must be performed manually. 

Most of the variable and function names were scrambled after decompiling the malware, making it difficult to understand the code. The packer developer also decided to implement control flow flattening into the packer in order to make any reverse engineering effort truly miserable. Control flow flattening takes the normal program control flow and modifies it using numerous if/while statements. 

Packers typically use stenography or encryption in their arsenal, what appears to be malformed image files are actually the malicious payload, which is decoded and decrypted by a custom algorithm in the resources directory. 

The payload data is concealed inside the RGB values of image pixels. The first pixel contains the size of the meaningful data inside the image, while the others include the actual data. 

After decoding the image, the packer decodes the payload with the RC2 cipher, revealing and loading a file called “Lightning.dll” into memory. An object named “GameCore.Core” is instantiated from the in-memory DLL file, and inside it, a function named “Game” receives yet another image file from the binary’s resources directory, along with a hardcoded key. 

The “Game” feature decrypts the final payload and then uses process injection to load the malware into another process’s memory space. The payload is then identified, and it is fully un-obfuscated, which allowed seeing its C&C address in cleartext, Minerva reported.