ざっくりと見るRedline Malware
今週のMalware
毎週AnyRunが同サービスにuploadされたMalwareの統計をとっており、今週は次のようになっていた。
Fresh TOP10📊 #malware uploads on ANYRUN
— ANY.RUN (@anyrun_app) 2022年1月31日
⬆️ #Emotet 2388 (614)🚀
⬆️ #Redline 428 (370)
⬆️ #Formbook 289 (124)
⬆️ #Njrat 256 (200)
⬆️ #Lokibot 203 (85)
⬆️ #Snake 133 (28)
⬇️ #Remcos 95 (108)
⬇️ #Asyncrat 89 (114)
⬆️ #AgentTesla 58 (45)
⬇️ #Nanocore 52 (81)https://t.co/98nRpXOxWw
今まで、EmotetとLokiとAgentTeslaしか解析したことが無いので他のもの今後見ていきたいが、今回はRedlineを見ていく。
Redline
RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware. https://any.run/malware-trends/redline
一言でまとめると、Redlineはユーザの機密情報を収集した上で他のマルウェアを呼び込むもの。
AnyRunの実行例
主な動き
まず、先ほどリンクにあった実行例を確認する。
app.any.run
Game Launcherとあるので、このプログラムは何らかゲームとして偽装されていた?
システム情報を収集して記録する。
883f69a967aae4c2e4cf7ebb837cd98f.exe.log
1,"fusion","GAC",0 1,"WinRT","NotApp",1 2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0 3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System\07eae4bab7291c75acf7b897a1f48888\System.ni.dll",0 3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Drawing\4142877f41ab0d54cecec517b425f77c\System.Drawing.ni.dll",0 3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\c0248323ae4e9811fb9bcd98ad2586fb\System.Windows.Forms.ni.dll",0 3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Core\0b78981bac0916a597255ea432a5baee\System.Core.ni.dll",0 3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Configuration\888402a24b121f68a8fb6bad219a778f\System.Configuration.ni.dll",0 3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Xml\52065e2179318dc2933f6a0f8373ea44\System.Xml.ni.dll",0 2,"System.Runtime.Remoting, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0
自身を再度実行
ここでRedlineの動作として検知されているのは、
REDLINE was detected 1/2 Process: C:\Users\admin\AppData\Local\Temp\883f69a967aae4c2e4cf7ebb837cd98f.exe IpDst: 45.76.235.60 IpSrc: 192.168.100.223 PortDst: 49976 PortSrc: 59178 REDLINE was detected 2/2 Process: C:\Users\admin\AppData\Local\Temp\883f69a967aae4c2e4cf7ebb837cd98f.exe IpDst: 192.168.100.223 IpSrc: 45.76.235.60 PortDst: 59178 PortSrc: 49976
Network streamを確認すると
Send: 239 b Timeshift: 41649 ms POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/CheckConnect" Host: 45.76.235.60:49976 Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive Recv: 25 b Timeshift: 41787 ms HTTP/1.1 100 Continue Send: 137 b Timeshift: 41787 ms <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnect xmlns="http://tempuri.org/"/></s:Body></s:Envelope> Recv: 359 b Timeshift: 41926 ms HTTP/1.1 200 OK Content-Length: 212 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Wed, 28 Jul 2021 12:34:58 GMT <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnectResponse xmlns="http://tempuri.org/"><CheckConnectResult>true</CheckConnectResult></CheckConnectResponse></s:Body></s:Envelope> Send: 366 b Timeshift: 46979 ms POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings" Host: 45.76.235.60:49976 Content-Length: 144 Expect: 100-continue Accept-Encoding: gzip, deflate <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><EnvironmentSettings xmlns="http://tempuri.org/"/></s:Body></s:Envelope> Recv: 4.80 Kb Timeshift: 47521 ms HTTP/1.1 100 Continue HTTP/1.1 200 OK Content-Length: 4744 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Wed, 28 Jul 2021 12:35:04 GMT <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><EnvironmentSettingsResponse xmlns="http://tempuri.org/"><EnvironmentSettingsResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:BlockedCountry xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:BlockedIP xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:Object4>true</a:Object4><a:Object6>false</a:Object6><a:ScanBrowsers>true</a:ScanBrowsers><a:ScanChromeBrowsersPaths xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>%USERPROFILE%\AppData\Local\Battle.net</b:string><b:string>%USERPROFILE%\AppData\Local\Chromium\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google(x86)\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Roaming\Opera Software\</b:string><b:string>%USERPROFILE%\AppData\Local\MapleStudio\ChromePlus\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Iridium\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\7Star\7Star\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\CentBrowser\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Chedot\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Vivaldi\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Kometa\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Elements Browser\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Epic Privacy Browser\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\uCozMedia\Uran\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer</b:string><b:string>%USERPROFILE%\AppData\Local\CatalinaGroup\Citrio\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Coowon\Coowon\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\liebao\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\QIP Surf\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Orbitum\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Comodo\Dragon\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Amigo\User\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Torch\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Yandex\YandexBrowser\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Comodo\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\360Browser\Browser\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Maxthon3\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\K-Melon\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Sputnik\Sputnik\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Nichrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\CocCoc\Browser\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Uran\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Chromodo\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Mail.Ru\Atom\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\BraveSoftware\Brave-Browser\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Microsoft\Edge\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\NVIDIA Corporation\NVIDIA GeForce Experience</b:string><b:string>%USERPROFILE%\AppData\Local\Steam</b:string><b:string>%USERPROFILE%\AppData\Local\CryptoTab Browser\User Data</b:string></a:ScanChromeBrowsersPaths><a:ScanDiscord>true</a:ScanDiscord><a:ScanFTP>true</a:ScanFTP><a:ScanFiles>true</a:ScanFiles><a:ScanFilesPaths xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>%userprofile%\Desktop|*.txt,*.doc*,*key*,*wallet*,*seed*|0</b:string><b:string>%userprofile%\Documents|*.txt,*.doc*,*key*,*wallet*,*seed*|0</b:string></a:ScanFilesPaths><a:ScanGeckoBrowsersPaths xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>%USERPROFILE%\AppData\Roaming\Mozilla\Firefox</b:string><b:string>%USERPROFILE%\AppData\Roaming\Waterfox</b:string><b:string>%USERPROFILE%\AppData\Roaming\K-Meleon</b:string><b:string>%USERPROFILE%\AppData\Roaming\Thunderbird</b:string><b:string>%USERPROFILE%\AppData\Roaming\Comodo\IceDragon</b:string><b:string>%USERPROFILE%\AppData\Roaming\8pecxstudios\Cyberfox</b:string><b:string>%USERPROFILE%\AppData\Roaming\NETGATE Technologies\BlackHaw</b:string><b:string>%USERPROFILE%\AppData\Roaming\Moonchild Productions\Pale Moon</b:string></a:ScanGeckoBrowsersPaths><a:ScanScreen>true</a:ScanScreen><a:ScanSteam>true</a:ScanSteam><a:ScanTelegram>true</a:ScanTelegram><a:ScanVPN>true</a:ScanVPN><a:ScanWallets>true</a:ScanWallets></EnvironmentSettingsResult></EnvironmentSettingsResponse></s:Body></s:Envelope>
この実行例はここで終っているが、他の実行例を見るとこの後システム情報を送信しC2サーバとの通信を始める。
redlineを検索すると、FortniteやGTA5とゲームに関連した名前でマルウェアが配布されていそうな例がある。
FortniteSkinCHanger.exe (MD5: F803C412DDD5FB5E90ADE6D7FB07C84A) - Interactive analysis - ANY.RUN
GTA5 hack by Spyro.exe (MD5: AE6599AA72D5980D9CF653BBCC0D26AE) - Interactive analysis - ANY.RUN
これがinfo stealer
おそらく、
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><EnvironmentSettingsResponse xmlns="http://tempuri.org/"><EnvironmentSettingsResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:BlockedCountry xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:BlockedIP xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:Object4>true</a:Object4><a:Object6>false</a:Object6><a:ScanBrowsers>true</a:ScanBrowsers><a:ScanChromeBrowsersPaths xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>%USERPROFILE%\AppData\Local\Battle.net</b:string><b:string>%USERPROFILE%\AppData\Local\Chromium\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google(x86)\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Roaming\Opera Software\</b:string><b:string>%USERPROFILE%\AppData\Local\MapleStudio\ChromePlus\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Iridium\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\7Star\7Star\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\CentBrowser\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Chedot\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Vivaldi\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Kometa\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Elements Browser\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Epic Privacy Browser\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\uCozMedia\Uran\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer</b:string><b:string>%USERPROFILE%\AppData\Local\CatalinaGroup\Citrio\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Coowon\Coowon\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\liebao\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\QIP Surf\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Orbitum\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Comodo\Dragon\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Amigo\User\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Torch\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Yandex\YandexBrowser\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Comodo\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\360Browser\Browser\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Maxthon3\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\K-Melon\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Sputnik\Sputnik\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Nichrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\CocCoc\Browser\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Uran\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Chromodo\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Mail.Ru\Atom\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\BraveSoftware\Brave-Browser\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Microsoft\Edge\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\NVIDIA Corporation\NVIDIA GeForce Experience</b:string><b:string>%USERPROFILE%\AppData\Local\Steam</b:string><b:string>%USERPROFILE%\AppData\Local\CryptoTab Browser\User Data</b:string></a:ScanChromeBrowsersPaths><a:ScanDiscord>true</a:ScanDiscord><a:ScanFTP>true</a:ScanFTP><a:ScanFiles>true</a:ScanFiles><a:ScanFilesPaths xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>%userprofile%\Desktop|*.txt,*.doc*,*key*,*wallet*,*seed*|0</b:string><b:string>%userprofile%\Documents|*.txt,*.doc*,*key*,*wallet*,*seed*|0</b:string></a:ScanFilesPaths><a:ScanGeckoBrowsersPaths xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>%USERPROFILE%\AppData\Roaming\Mozilla\Firefox</b:string><b:string>%USERPROFILE%\AppData\Roaming\Waterfox</b:string><b:string>%USERPROFILE%\AppData\Roaming\K-Meleon</b:string><b:string>%USERPROFILE%\AppData\Roaming\Thunderbird</b:string><b:string>%USERPROFILE%\AppData\Roaming\Comodo\IceDragon</b:string><b:string>%USERPROFILE%\AppData\Roaming\8pecxstudios\Cyberfox</b:string><b:string>%USERPROFILE%\AppData\Roaming\NETGATE Technologies\BlackHaw</b:string><b:string>%USERPROFILE%\AppData\Roaming\Moonchild Productions\Pale Moon</b:string></a:ScanGeckoBrowsersPaths><a:ScanScreen>true</a:ScanScreen><a:ScanSteam>true</a:ScanSteam><a:ScanTelegram>true</a:ScanTelegram><a:ScanVPN>true</a:ScanVPN><a:ScanWallets>true</a:ScanWallets></EnvironmentSettingsResult></EnvironmentSettingsResponse></s:Body></s:Envelope>
このセットのinfo stealerがRedlineなんじゃないかという理解。
余談
自分が確認したときには、"*"のところのリンクがRedlineではなくRacoonのリンクになっていた。
ANY.RUN allows researchers to perform the analysis and watch the RedLine in action in an "interactive sandbox simulation"
https://any.run/malware-trends/redline
これは変だと思い公式に報告すると、ANY.RUNのTester licenseなるもの1か月分を貰いました。これは公式によるとHunter license相当のサブスクリプションらしい。
つまり、思いがけずHunter license 1か月分を手に入れてしまった。
