How to detect RedLine Infostealer with Wazuh
RedLine Infostealer is a malware designed to steal sensitive information from infected Windows endpoints. It targets a variety of sources, including web browsers, cryptocurrency wallets, and applications like FileZilla, Discord, Steam, Telegram, and VPN clients.
In addition, RedLine also scans the infected machine to understand running processes, installed programs, antivirus products, the Windows product name, and the processor architecture. The attackers then exfiltrate this information to a remote location, where they can access it.
This blog post uses Wazuh to detect RedLine Infostealer on a victim endpoint.
RedLine Infostealer behavior
- RedLine invokes the Visual Basic Command-Line Compiler for an encoded malicious Powershell command compilation.
- It downloads suspicious executables files and scripts into the
C:\Users\<USERNAME>\AppData\Local\Tempfolder using an encoded PowerShell command. These executables steal browser cookies, stored credentials, and other application secrets. - It modifies the Windows
C:\Windows\system32\drivers\etc\hostsfile to block the victim endpoint from communicating with antimalware services. - The infostealer creates a Windows Defender exclusion criteria on the victim endpoint to evade detection by Windows Defender antimalware. This is created for both the
C:\Users\<UserProfile>andC:\Program Filesfolders using the PowerShell command below:
C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
The malware maintains persistence by creating a Windows scheduled task called Telemetry Logging using one of the downloaded executable C:\\Users\\USERNAME\\AppData\\Roaming\\Microsoft\\TelemetryServices\\fodhelper.exe:
/C /create /F /sc minute /mo 1 /tn \"Telemetry Logging\" /tr \"C:\\Users\\USERNAME\\AppData\\Roaming\\Microsoft\\TelemetryServices\\fodhelper.exe\"
Detection with Wazuh
In this blog post, we use Sysmon integration and the Wazuh security configuration assessment module to detect RedLine Infostealer behavior on the victim endpoint.
Infrastructure
1. A pre-built ready-to-use Wazuh OVA 4.3.10 Follow this guide to download the virtual machine.
2. A Windows 10 victim endpoint with Wazuh agent installed.
Using detection rules
We can detect RedLine Infostealer activities by enriching the victim endpoint logs with Sysmon. These logs are then analyzed against a custom ruleset defined on the Wazuh server.
Victim endpoint
Configure the Wazuh agent following the steps below to collect Sysmon logs and transfer them to the Wazuh server for analysis:
1. Download Sysmon from the Microsoft Sysinternals page.
2. Download the Sysmon configuration file.
3. Launch PowerShell as an administrator and install Sysmon using the command below:
.\Sysmon64.exe -accepteula -i sysmonconfig.xml
4. Edit the Wazuh agent C:\Program Files (x86)\ossec-agent\ossec.conf file and include the following settings within the <ossec_config> block.
<localfile> <location>Microsoft-Windows-Sysmon/Operational</location> <log_format>eventchannel</log_format> </localfile>
5. Restart the Wazuh agent to apply the changes:
Restart-Service -Name WazuhSvc
Wazuh server
In this section, we create rules to detect RedLine Infostealer using its MITRE techniques.
1. Add the rules below to the /var/ossec/etc/rules/local_rules.xml file on the Wazuh server:
<group name="redline_infostealer,">
<!-- PowerShell encoded command -->
<rule id="100200" level="12">
<if_sid>61603</if_sid>
<field name="win.eventdata.ParentImage" type="pcre2">(?i)vbc.exe</field>
<field name="win.eventdata.image" type="pcre2">powershell.exe</field>
<field name="win.eventdata.commandLine" type="pcre2">(?i)-EncodedCommand</field>
<description>Suspicious encoded PowerShell command detected. Possible RedLine stealer activity.</description>
<mitre>
<id>T1086</id>
<id>T1059.001</id>
</mitre>
</rule>
<!-- Rouge file creation -->
<rule id="100201" level="12">
<if_group>sysmon_eid11_detections</if_group>
<field name="win.eventdata.image" type="pcre2">(?i)powershell\.exe</field>
<field name="win.eventdata.targetFilename" type="pcre2">(?i)AppData\\\\(Roaming|local)</field>
<description>Powershell process created executable: $(win.eventdata.targetFilename) file in AppData folder.</description>
<mitre>
<id>T1105</id>
</mitre>
</rule>
<!-- PowerShell encoded command -->
<rule id="100202" level="12">
<if_sid>61603</if_sid>
<field name="win.eventdata.image" type="pcre2">powershell.exe</field>
<field name="win.eventdata.commandLine" type="pcre2">-ExclusionPath</field>
<field name="win.eventdata.commandLine" type="pcre2">UserProfile|ProgramFiles</field>
<description>Malicious activity detected. Multiple folders were added to the Windows Defender exclusion list.</description>
<mitre>
<id>T1204</id>
</mitre>
</rule>
<!-- Rouge file creation -->
<rule id="100203" level="12">
<if_sid>61613</if_sid>
<field name="win.eventdata.targetFilename" type="pcre2">(?i)[c-z]:\\\\Windows\\\\System32\\\\drivers\\\\etc\\\\hosts</field>
<field name="win.eventdata.image" type="pcre2">(?i)[c-z]:\\\\Users\\\\.+\\\\AppData\\\\Local\\\\Temp\\\\.+\.exe</field>
<description>Suspicious modification of $(win.eventdata.targetFilename) by $(win.eventdata.image). Possible RedLine stealer activity.</description>
<mitre>
<id>T1565</id>
</mitre>
</rule>
<!-- Persistence detection-->
<rule id="100204" level="12">
<if_sid>61603</if_sid>
<field name="win.eventdata.image" type="pcre2">schtasks.exe</field>
<field name="win.eventdata.parentImage" type="pcre2">(?i)[c-z]:\\\\Users\\\\.+\\\\AppData\\\\Local\\\\Temp\\\\.+\.exe</field>
<field name="win.eventdata.commandLine" type="pcre2">\.exe</field>
<description>Suspicious scheduled task was created by $(win.eventdata.parentImage).</description>
<mitre>
<id>T1053</id>
</mitre>
</rule>
</group>
Where:
- Rule ID
100200detects encoded PowerShell commands initiated by vbc.exe. - Rule ID
100201detects when suspicious, malicious executables and scripts are downloaded to theC:\Users\<USERNAME>\AppData\Local\Temp\folder. - Rule ID
100202detects when theC:\Users\<UserProfile>andC:\Program Files foldersare added to Windows Defender exclusion lists. - Rule ID
100203detects when the malware modified the WindowsC:\Windows\System32\drivers\etc\hostsfile to disable victim communications with antimalware services. - Rule ID
100204detects when RedLine creates an entry in Task Scheduler to maintain persistence.
2. Restart the Wazuh server to apply the configuration changes:
# systemctl restart wazuh-manager
Below is the screenshot of the alerts generated on the Wazuh dashboard when the RedLine Infostealer is executed on the victim endpoint.
Security Configuration Assessment
The Wazuh SCA module runs checks that test system hardening, detect vulnerable software, and validate configuration policies on a monitored endpoint. We utilize SCA to check the presence of RedLine Infostealer artifacts in the C:\Windows\System32\drivers\etc\hosts file and C:\Users\<USERNAME>\AppData\Local\Temp\ folder. We also check for the creation of a malicious scheduled task.
Victim endpoint
1. Launch PowerShell with administrative privilege, and create a folder to hold custom SCA policy files:
New-Item -Path 'C:\Program Files (x86)\sca_policies' -ItemType Directory
Note
Custom SCA policy files created inside the default Wazuh ruleset folder are not kept across upgrades. Hence, the C:\Program Files (x86)\sca_policies folder is created outside the Wazuh agent installation folder.
2. Create a new policy file in the sca_policies folder:
New-Item -Path 'C:\Program Files (x86)\sca_policies\redline_infostealer.yml' -ItemType File
3. Add the following content to the C:\Program Files (x86)\sca_policies\redline_infostealer_check.yml file.
policy:
id: "RedLine_infostealer"
file: "redLine_infostealer.yml"
name: "RedLine infostealer Windows OS check"
description: "Detecting RedLine infostealer"
requirements:
title: "Checking RedLine infostealer on Windows based systems"
description: "Requirements for running the audit policy under a Windows platform"
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SAM\SAM'
checks:
- id: 99000
title: "Checking for Possible RedLine infostealer artifacts in AppData folder"
description: "Check for RedLine infostealer artifacts in AppData folder."
condition: all
rules:
- 'not f:C:\Users\<USERNAME>\AppData\Local\Temp\C4Loader.exe'
- 'not f:C:\Users\<USERNAME>\AppData\Local\Temp\new2.exe'
- 'not f:C:\Users\<USERNAME>\AppData\Local\Temp\SysApp.exe'
- 'not f:C:\Users\<USERNAME>\AppData\Local\Temp\SmartDefRun.exe'
- 'not f:C:\Users\<USERNAME>\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe'
- id: 99001
title: "Checking for Possible RedLine infostealer persistence in Task Scheduler"
description: "Check for Possible RedLine infostealer persistence in Task Scheduler."
condition: all
rules:
- 'c:schtasks /query /tn "Telemetry Logging" -> Telemetry Logging'
- id: 99002
title: "Checking for RedLine infostealer artifacts"
description: "Antimalware websites found in Windows hosts file."
condition: all
rules:
- not f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:avast.com|mcafee.com;
- not f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:bitdefender.com|us.norton.com;
- not f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:avg.com|malwarebytes.com;
- not f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:avira.com|norton.com;
- not f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:eset.com|microsoft.com;
- not f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:kaspersky.com|usa.kaspersky.com;
- not f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:sophos.com|clamav.net;
- not f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:drweb.com|f-secure.com;
- not f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:trendmicro.com|virustotal.com;
Note
Replace <USERNAME> with the username of the logged-in user.
4. Edit the Wazuh agent C:\Program Files (x86)\ossec-agent\ossec.conf file and include the following configuration within the <sca> block:
<policies>
<policy>C:\Program Files (x86)\sca_policies\redline_infostealer.yml</policy>
</policies>
5. Restart the Wazuh agent for the changes to take effect:
Restart-Service -Name WazuhSvc
The screenshot below shows the SCA alerts generated on the Wazuh dashboard.
Conclusion
This blog post demonstrates how to detect RedLine Infostealer using Wazuh. We illustrated how to use Sysmon integration with custom detection rules and security configuration assessment module to detect RedLine Infostealer and its malicious activities.