RedLine Stealer: Masquerades as Telegram Installer

RedLine Stealer: Masquerades as Telegram Installer

The .Net-based malware has recently been disguised as an installer of the popular secure messaging app, Telegram. 

Stealers are pieces of malicious code written with a hit-and-run mindset, intending to find something of value on an infected computer and return it to its owner. These sinister viruses usually infect through a second-stage payload or by masquerading as legitimate apps. One such stealer is Redline Stealer, which is often used by attackers to steal credentials from unsuspecting users.

According to Minerva, RedLine Stealer employs evasive techniques to bypass the security products, which begins with the unpacking process. The fake setup file is packed and highly obfuscated, like most of the .Net malware. No known packer is found using Detect-It-Easy, implying that the unpacking must be performed manually. 

Most of the variable and function names were scrambled after decompiling the malware, making it difficult to understand the code. The packer developer also decided to implement control flow flattening into the packer in order to make any reverse engineering effort truly miserable. Control flow flattening takes the normal program control flow and modifies it using numerous if/while statements. 

Packers typically use stenography or encryption in their arsenal, what appears to be malformed image files are actually the malicious payload, which is decoded and decrypted by a custom algorithm in the resources directory. 

The payload data is concealed inside the RGB values of image pixels. The first pixel contains the size of the meaningful data inside the image, while the others include the actual data. 

After decoding the image, the packer decodes the payload with the RC2 c ..

Support the originator by clicking the read the rest link below.