Recently, the RedSense HUNT team has been working to understand how adversaries train their own pentesting teams to infect a victim environment and deploy stealer malware. Our ultimate goal is to educate RedSense partners on what to expect from adversaries.
Based on what we found in instructional videos created by the adversaries themselves, we have made numerous informative discoveries and one which shocked us and proves there really is no honor among thieves.
RedSense observed adversarial training sets based around the exploitation of the victim environment, introduced by fraudsters with a wide range of credibility and skill. Such cases typically involve an example scenario featuring two virtual machines: This simulation offers a C2 panel and bot, both demonstrated simultaneously on two VMs. It also features the RedLine stealer malware. One of these VMs (C2 panel) naturally represents the attacker, while the other one (bot) represents the victim.
One notable training set was offered on August 10, 2023, in an adversarial Telegram channel that advertises itself as one of the top channels related to botnet malware analysis. Using primary source intel, our team confirmed that the channel is highly regarded by botnet developers and users.
It also appears that the channel’s userbase has established an additional profit venue as well. Two posts were added to the Telegram channel.
The first post featured a video tutorial for launching the RedLine C2 panel. This was shared from another private Telegram channel, “Botnet 2.0”. The post includes a step-by-step guide on initializing the C2 panel (as a Windows application written in C#). After launching, the viewer is able to see the operating panel window, which contains the typical functionality of a standard RedLine panel, including:
- Log viewer (information extracted by the stealer)
- A statistical tab for the logs (which includes the number of stolen logs divided by categories and countries)
- A builder tab where new malware builds can be generated with parameter modifications
The second post contained a .zip archive named “REDLINE-STEALER-V20.2 .zip”. The name suggests that it contains the aforementioned C2 panel build to be used in accordance with the video tutorial. The file listing included in this post appears plausibly authentic based on file names. This is especially noticeable for anyone with experience regarding RedLine and who is familiar with the original files of RedLine’s panels.
After examining the extracted source code of the executables, it became clear to RedSense that instead of the executable files for the C2 panel, the .zip archive contained malware stealers. This way, a user of the channel who downloads it would instead infect their own environment after unpacking the .zip.
By posting this malicious archive file, the channel’s admins infect the less experienced users who are trying to learn more about malware. RedSense analysts believe that this method of “culling” helps to eliminate potential competition within the threat landscape by discouraging new users.
