Wireshark Investigation: Unraveling RedLine Stealer Malware Traffic

Introduction

Hello again! In this session, we’re embarking on a hands-on investigation to unravel the complex workings of malware through the powerful lens of Wireshark. Our main objective is to dissect the “RedLine Stealer” traffic analysis scenario from malware-traffic-analysis.net.

If you are eager to engage directly with your own equipment, you are invited to download the PCAP specifically for the “RedLine Stealer” scenario. This is among the numerous realistic simulations offered at malware-traffic-analysis.net (https://malware-traffic-analysis.net/). You can find and download the required files for this particular exercise at the provided link (https://unit42.paloaltonetworks.com/wireshark-quiz-redline-stealer/).

Important Warning: Examine Malicious Network Traffic Safely on a Controlled Setting

It’s vital to understand that PCAP files containing malicious content might harbor payloads capable of jeopardizing your system. These files could encompass exploits designed to exploit weaknesses in your network analysis software or even the operating system itself. The mere act of opening a file without proper caution could inadvertently lead to an infection on the system where the analysis is taking place.

In the realm of network analysis, especially when investigating PCAP files loaded with potentially harmful data, operational security should be your top concern. While Wireshark is an incredibly effective tool for such analyses, it’s crucial to remember that it doesn’t automatically shield you from the potential threats hidden in the data you’re examining.

The Scenario: RedLine Stealer

In this section, we turn our attention to the RedLine Stealer scenario, an intriguing and complex case. RedLine Stealer is a type of malware known for its capabilities in information theft, including harvesting sensitive data like passwords, browser history, and even cryptocurrency information from infected systems. It often spreads through deceptive means such as phishing emails or compromised software downloads. Our objective in this investigation is to analyze network traffic associated with this malware to understand its behaviors and identify potential infection vectors.

We are provided with key details that will significantly aid in our Wireshark investigation of the RedLine Stealer scenario.

Local Area Network (LAN) Details

• LAN segment range: 10.7.10[.]0/24 (10.7.10[.]1 through 10.7.10[.]255)
• Domain: coolweathercoat[.]com
• Domain controller IP address: 10.7.10[.]9
• Domain controller hostname: WIN-S3WT6LGQFVX
• LAN segment gateway: 10.7.10[.]1
• LAN segment broadcast address: 10.7.10[.]255

During the course of my analysis, I will address the questions listed on the scenario’s webpage:

• What is the date and time in UTC the infection started?
• What is the IP address of the infected Windows client?
• What is the MAC address of the infected Windows client?
• What is the hostname of the infected Windows client?
• What is the user account name from the infected Windows host?
• What type of information did this RedLine Stealer try to steal?

Additional Information About RedLine Stealer

Introduction to RedLine Stealer Malware

RedLine Stealer, a formidable entity in the cybercrime landscape, emerged as a significant threat to cybersecurity. It is designed to surreptitiously infiltrate systems and extract sensitive data. The malware’s primary functionality lies in its ability to steal personal and financial information, posing a severe risk to both individual users and organizations. Its impact is heightened by its continuous evolution, making it a persistent challenge in cybersecurity defenses.

How RedLine Stealer Operates and its Impact

RedLine Stealer employs various infiltration methods, including phishing schemes and exploiting software vulnerabilities. Once inside a system, it meticulously extracts a wide range of data: from login credentials and banking details to system configurations and browser data like cookies and history. What makes RedLine particularly insidious is its ability to operate stealthily, often bypassing conventional detection methods. This stealth not only enables extensive data breaches but also complicates efforts to track and neutralize the malware.

Preventive Measures and Future Outlook

To combat RedLine Stealer, a combination of preventive measures is crucial. This includes educating users on phishing tactics, ensuring regular updates of software to patch vulnerabilities, and employing robust antivirus and anti-malware solutions. Looking ahead, the future of malware like RedLine Stealer is expected to evolve, bringing new challenges in cybersecurity. Anticipating these changes and adapting defense mechanisms will be key to mitigating the risks posed by such sophisticated malware.

The Analysis

To initiate the analysis, I will begin by modifying the resolved host names to their corresponding IP addresses. This approach simplifies the investigation, making it more comprehensible. Initially, the only alteration I will make involves the domain controller. I will assign it the resolved host name of “Domain Controller,” as illustrated in the image below. This step is crucial for clear identification and tracking of network traffic related to the domain controller in our investigation.

Following the initial setup, the next step in the investigation is to scrutinize the traffic for any signs of suspicious activity. In Wireshark, a highly effective filter for this purpose is “tcp.flags.syn == 1.”

Description of the “tcp.flags.syn == 1” Filter:

• TCP Flags: TCP, or Transmission Control Protocol, uses various flags to manage the state of network communications. These flags are integral parts of the TCP header in each packet.
• SYN Flag: The SYN flag, short for “Synchronize,” is used to initiate a TCP connection. It’s the first step in the three-way handshake process, which is essential for establishing a TCP/IP connection.
• Filter Function: When you apply the filter “tcp.flags.syn == 1” in Wireshark, it filters out all TCP packets except those with the SYN flag set. Essentially, this displays only the packets that are attempting to initiate a new TCP connection.
• Investigation Relevance: This filter is particularly useful in malware traffic analysis, as it helps to identify attempts to establish new connections, which could indicate communication with command and control servers, data exfiltration attempts, or unauthorized access attempts.

Using this filter, we can focus on the initial stages of TCP connections, potentially uncovering the first steps of malicious communications or unauthorized network access attempts, which are common in malware activities like those associated with RedLine Stealer.

Employing the “tcp.flags.syn == 1” filter in Wireshark significantly streamlines our investigation process by reducing the number of packets we need to examine. This filter acts as an efficient sieve, allowing us to focus on the essential packets that are initiating TCP connections.

As we progress with the analysis of these filtered packets, you’ll observe a variety of connections being established. These connections involve interactions between different IP addresses and domain names within your network and various end-user machines.

Refining the search to exclude traffic from the domain controller and focus solely on traffic from user devices and other sources is indeed possible. This can be achieved by combining the existing filter with an additional condition that excludes the domain controller’s IP address. Here’s how to do it:

1. Combine Filters: Use the logical operator && to combine filters in Wireshark. This operator allows you to apply multiple conditions at once.
2. Exclude Domain Controller Traffic: Add the filter ip.addr != 10.7.10.9. This condition specifically excludes any packets to or from the IP address of the domain controller, which in this case is 10.7.10.9.
3. Complete Filter Syntax: The full filter would be tcp.flags.syn == 1 && ip.addr != 10.7.10.9. This filter combination ensures that you see only SYN packets (initiating TCP connections) that do not involve the domain controller.

By applying this refined filter, you effectively narrow down the dataset to user device traffic and other network activities, excluding the regular, likely benign, traffic from the domain controller. This focus can be particularly helpful in isolating unusual or potentially malicious traffic patterns related to user devices, which might be indicative of malware activity like that of RedLine Stealer.

With the refined filter applied to exclude domain controller traffic, focusing on packets that only initiate TCP connections, identifying suspicious domains within these packets becomes considerably more straightforward.

Investigating the suspicious domains and IP addresses identified in our Wireshark analysis is a critical next step. To do this, we can utilize several reputable online tools that provide detailed insights into potentially malicious web entities. Here’s how we’ll proceed:

1. VirusTotal: This tool offers a comprehensive analysis of files and URLs to detect various types of malware. By inputting the suspicious domains or IP addresses into VirusTotal, we can get reports on any known malicious activities associated with them, such as hosting malware, phishing attempts, or other security threats.
2. urlscan.io: This service is particularly useful for examining and scrutinizing the behavior of websites. It provides detailed information about the website’s content, associated domains, underlying infrastructure, and more. By scanning the suspicious domains with urlscan.io, we can gather valuable data about their nature and activities.
3. Cisco Talos: As a well-respected intelligence group, Cisco Talos offers insights into the reputation and associated risks of IP addresses and domains. By checking our suspicious entities against Cisco Talos’ database, we can understand their credibility and any reported security concerns.

By leveraging these tools, we can deepen our investigation, validate our suspicions, and potentially uncover the nature and extent of the threat posed by these domains and IP addresses. This thorough approach is crucial for a comprehensive understanding of the cybersecurity threats involved.

The first Indicator of Compromise (IoC) we’ll examine is the domain 623start[.]site, which corresponds to the IP address 195[.]161[.]114[.]3.

The second Indicator of Compromise (IoC) in our investigation is the domain guiatelefonos[.]com, associated with the IP address 92[.]118[.]151[.]9.

Investigating both the domain name and the IP address is indeed crucial for a thorough investigation. This dual approach is essential for several reasons:

1. Comprehensive Analysis: While the domain name offers a human-readable identifier for the website, the IP address reveals the actual network location. Investigating both provides a complete picture of where and how the suspected malicious activity is occurring.
2. Cross-Referencing Data: Sometimes, malicious actors use multiple domain names pointing to the same IP address or vice versa. By examining both, you can uncover a network of related malicious sites or identify other domains hosted on the same compromised server.
3. Identifying Host Behavior: Analyzing the IP address can reveal the behavior of the host, including any irregular network activities, geographical locations, and associations with known malicious networks.
4. Domain Reputation vs. IP Reputation: A domain might have a neutral reputation while its corresponding IP could be flagged in databases for past malicious activities, or the reverse could be true. Checking both allows for a more accurate risk assessment.

By meticulously investigating both the domain name and IP address, you can gather a more robust set of data.

The investigation of the two Indicators of Compromise (IoCs), 623start[.]site (195[.]161[.]114[.]3) and guiatelefonos[.]com (92[.]118[.]151[.]9), using various reliable sources has led to a significant finding: both IoCs have been confirmed as malicious. This conclusion is based on the comprehensive data gathered from the sources we referenced.

Now that we have established the malicious nature of the identified IoCs, it’s time to address the initial questions that were raised in our investigation.

Question 1

Determining the exact date and time in UTC when the infection started is a critical aspect of understanding the scope and impact of the malware incident. To find this information, we need to analyze the network traffic data captured in our Wireshark investigation, particularly focusing on interactions with the identified malicious IoCs – 623start[.]site (195[.]161[.]114[.]3) and guiatelefonos[.]com (92[.]118[.]151[.]9).

To ascertain the date and time in UTC when the infection began, your approach of examining the TCP SYN filter in Wireshark is spot on. The key lies in identifying the start of the first three-way handshake between the user’s device and the two malicious websites identified as IoCs.

From this analysis, we have pinpointed the commencement of the infection to be on July 10, 2023, at 22:39:47 UTC.

Question 2

The second question focuses on identifying the IP address of the Windows client that was infected. Within the previous packet we can identify the IP address of the infected Windows client as 10[.]7[.]10[.]47

Question 3

The third query pertains to identifying the MAC address of the compromised Windows client. This information is retrievable from the original packet image, revealing the MAC address as 80:86:5b:ab:1e:c4.

Question 4

The next phase in our inquiry involves identifying the hostname of the compromised Windows client. In Wireshark, a particularly adept filter for this task is “dhcp || nbns || http.accept_language || kerberos.CNameString || ip contains ‘Desktop-‘“.

Description of the “dhcp || nbns || http.accept_language || kerberos.CNameString || ip contains ‘Desktop-‘” Filter:

• DHCP and NBNS: DHCP (Dynamic Host Configuration Protocol) and NBNS (NetBIOS Name Service) are crucial for network configuration and name resolution. Filtering for these protocols can reveal dynamic IP assignments and machine names within the network.
• HTTP Accept-Language: This part of the HTTP header specifies the client’s preferred languages. Monitoring this can provide insights into the locale settings of the network clients, which could be relevant in an investigation.
• Kerberos CNameString: Kerberos, a network authentication protocol, plays a significant role in secure communication within Windows environments. The CNameString in Kerberos tickets represents the client principal name. Filtering for this can help identify user accounts involved in network authentication processes.
• IP Contains ‘Desktop-‘: This filter component is designed to capture packets containing specific string patterns in their IP headers. It is particularly useful for pinpointing hostnames that follow a certain naming convention, such as those beginning with ‘Desktop-‘.

The hostname for the compromised Windows Client has been identified as DESKTOP-9PEA63H.

Question 5

The fifth query also focuses on related information, specifically seeking the user account name associated with the infected Windows host. This data can be obtained using the same filter previously mentioned.

The user account name identified on the infected Windows host is rwalters.

Question 6

The concluding inquiry revolves around the nature of data targeted by the RedLine Stealer malware. This particular malware was designed to exfiltrate a diverse range of information from the affected machine.

By analyzing the TCP Stream of a packet directed to the IP address 194[.]26[.]135[.]119, we can discern the specific areas and files where the malware was actively searching for information.

The malware conducted a thorough search targeting several file types and user data across various locations. Specifically, it scoured the Desktop and Documents folders for files with extensions like .txt, .doc, key, wallet, and seed. Additionally, the malware sought user data in multiple browsers, including Chrome and Edge, among others. Its search extended to information related to cryptocurrency wallets, with a focus on identifying details from wallets such as Tronlink, NiftyWallet, Metamask, and others.

Deeper into the packet analysis, it was observed that the malware also made efforts to discover API keys for a variety of services.

Toward the end of the data stream, evidence of the extracted information from this machine was found. This included a set of login credentials and a Word document.

The investigation revealed that login credentials for the website coolweathercoat[.]com were compromised. Additionally, a document named “Top_secret_document.docx” was identified, located in the Documents folder of the infected machine.

Conclusion

As our comprehensive journey through the intricate network of RedLine Stealer malware concludes, we stand equipped with deeper insights and a nuanced understanding of its operations. This analysis, leveraging the potent capabilities of Wireshark, not only illuminated the covert pathways this malware treads but also showcased the intricate mechanisms it employs to infiltrate and exploit systems. The meticulous investigation of network traffic, coupled with the focused examination of specific Indicators of Compromise (IoCs), has revealed how stealthily RedLine Stealer navigates to siphon off a diverse array of sensitive information.

Crucially, this exercise underscores the importance of vigilance and advanced tools in the ongoing battle against cyber threats. It highlights the need for robust cybersecurity practices, including regular updates to network analysis tools and a keen awareness of the evolving tactics used by malware like RedLine Stealer. Furthermore, the analysis reiterates the significance of employing comprehensive filters and leveraging external verification resources to deepen investigative accuracy and scope.

In conclusion, our journey through the network intricacies of RedLine Stealer using Wireshark serves as a testament to the power of thorough cyber investigation. It reinforces the need for continuous learning and adaptation in the field of cybersecurity, ensuring that we remain one step ahead in the relentless pursuit of digital safety and integrity.

If you have any questions or need further clarification about the intricacies of the RedLine Stealer malware, the use of Wireshark for network analysis, or any aspect of my investigation, please don’t hesitate to ask. Whether your inquiries are about the specific steps of the analysis, the interpretation of the data, or broader questions regarding cybersecurity practices, I’m here to assist.