How to detect RedLine Infostealer with Wazuh

| by | Wazuh 4.3
Post icon

RedLine Infostealer is a malware designed to steal sensitive information from infected Windows endpoints. It targets a variety of sources, including web browsers, cryptocurrency wallets, and applications like FileZilla, Discord, Steam, Telegram, and VPN clients. 

In addition, RedLine also scans the infected machine to understand running processes, installed programs, antivirus products, the Windows product name, and the processor architecture. The attackers then exfiltrate this information to a remote location, where they can access it.

This blog post uses Wazuh to detect RedLine Infostealer on a victim endpoint.

RedLine Infostealer behavior

  • RedLine invokes the Visual Basic Command-Line Compiler for an encoded malicious Powershell command compilation.
  • It downloads suspicious executables files and scripts into the C:\Users\<USERNAME>\AppData\Local\Temp folder using an encoded PowerShell command. These executables steal browser cookies, stored credentials, and other application secrets.
  • It modifies the Windows C:\Windows\system32\drivers\etc\hosts file to block the victim endpoint from communicating with antimalware services.
  • The infostealer creates a Windows Defender exclusion criteria on the victim endpoint to evade detection by Windows Defender antimalware. This is created for both the C:\Users\<UserProfile> and C:\Program Files folders using the PowerShell command below:
C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

The malware maintains persistence by creating a Windows scheduled task called Telemetry Logging using one of the downloaded executable C:\Users\USERNAME\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe:

/C /create /F /sc minute /mo 1 /tn \"Telemetry Logging\" /tr \"C:\Users\USERNAME\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe\"

Detection with Wazuh

In this blog post, we use Sysmon integration and the Wazuh security configuration assessment module to detect RedLine Infostealer behavior on the victim endpoint.

Infrastructure

1. A pre-built ready-to-use Wazuh OVA 4.3.10 Follow this guide to download the virtual machine. 

2. A Windows 10 victim endpoint with Wazuh agent installed.

Using detection rules

We can detect RedLine Infostealer activities by enriching the victim endpoint logs with Sysmon. These logs are then analyzed against a custom ruleset defined on the Wazuh server.

Victim endpoint

Configure the Wazuh agent following the steps below to collect Sysmon logs and transfer them to the Wazuh server for analysis:

1. Download Sysmon from the Microsoft Sysinternals page.

2. Download the Sysmon configuration file.

3. Launch PowerShell as an administrator and install Sysmon using the command below:

.\Sysmon64.exe -accepteula -i sysmonconfig.xml

4. Edit the Wazuh agent C:\Program Files (x86)\ossec-agent\ossec.conf file and include the following settings within the <ossec_config> block.

<localfile>
  <location>Microsoft-Windows-Sysmon/Operational</location>
  <log_format>eventchannel</log_format>
</localfile>

5. Restart the Wazuh agent to apply the changes:

Restart-Service -Name WazuhSvc

Wazuh server

In this section, we create rules to detect RedLine Infostealer using its MITRE techniques. 

1. Add the rules below to the /var/ossec/etc/rules/local_rules.xml file on the Wazuh server:

<group name="redline_infostealer,">

  <!-- PowerShell encoded command -->
  <rule id="100200" level="12">
    <if_sid>61603</if_sid>
    <field name="win.eventdata.ParentImage" type="pcre2">(?i)vbc.exe</field>
    <field name="win.eventdata.image" type="pcre2">powershell.exe</field>
    <field name="win.eventdata.commandLine" type="pcre2">(?i)-EncodedCommand</field>
    <description>Suspicious encoded PowerShell command detected. Possible RedLine stealer activity.</description>
    <mitre>
      <id>T1086</id>
      <id>T1059.001</id>
    </mitre>
  </rule>

  <!-- Rouge file creation -->
  <rule id="100201" level="12">
    <if_group>sysmon_eid11_detections</if_group>
    <field name="win.eventdata.image" type="pcre2">(?i)powershell\.exe</field>
    <field name="win.eventdata.targetFilename" type="pcre2">(?i)AppData\\(Roaming|local)</field>
    <description>Powershell process created executable: $(win.eventdata.targetFilename) file in AppData folder.</description>
    <mitre>
      <id>T1105</id>
    </mitre>
  </rule>

  <!-- PowerShell encoded command -->
  <rule id="100202" level="12">
    <if_sid>61603</if_sid>
    <field name="win.eventdata.image" type="pcre2">powershell.exe</field>
    <field name="win.eventdata.commandLine" type="pcre2">-ExclusionPath</field>
    <field name="win.eventdata.commandLine" type="pcre2">UserProfile|ProgramFiles</field>
    <description>Malicious activity detected. Multiple folders were added to the Windows Defender exclusion list.</description>
    <mitre>
      <id>T1204</id>
    </mitre>
  </rule>

  <!-- Rouge file creation -->
  <rule id="100203" level="12">
    <if_sid>61613</if_sid>
    <field name="win.eventdata.targetFilename" type="pcre2">(?i)[c-z]:\\Windows\\System32\\drivers\\etc\\hosts</field>
    <field name="win.eventdata.image" type="pcre2">(?i)[c-z]:\\Users\\.+\\AppData\\Local\\Temp\\.+\.exe</field>
    <description>Suspicious modification of $(win.eventdata.targetFilename) by $(win.eventdata.image). Possible RedLine stealer activity.</description>
    <mitre>
      <id>T1565</id>
    </mitre>
  </rule>

  <!-- Persistence detection-->
  <rule id="100204" level="12">
    <if_sid>61603</if_sid>
    <field name="win.eventdata.image" type="pcre2">schtasks.exe</field>
    <field name="win.eventdata.parentImage" type="pcre2">(?i)[c-z]:\\Users\\.+\\AppData\\Local\\Temp\\.+\.exe</field>
    <field name="win.eventdata.commandLine" type="pcre2">\.exe</field>
    <description>Suspicious scheduled task was created by $(win.eventdata.parentImage).</description>
    <mitre>
      <id>T1053</id>
    </mitre>
  </rule>

</group>

Where:

  • Rule ID 100200 detects encoded PowerShell commands initiated by vbc.exe.
  • Rule ID 100201 detects when suspicious, malicious executables and scripts are downloaded to the C:\Users\<USERNAME>\AppData\Local\Temp\ folder.
  • Rule ID 100202 detects when the C:\Users\<UserProfile> and C:\Program Files folders are added to Windows Defender exclusion lists.
  • Rule ID 100203 detects when the malware modified the Windows C:\Windows\System32\drivers\etc\hosts file to disable victim communications with antimalware services.
  • Rule ID 100204  detects when RedLine creates an entry in Task Scheduler to maintain persistence.

2. Restart the Wazuh server to apply the configuration changes:

# systemctl restart wazuh-manager

Below is the screenshot of the alerts generated on the Wazuh dashboard when the RedLine Infostealer is executed on the victim endpoint.

redline infostealer

Security Configuration Assessment

The Wazuh SCA module runs checks that test system hardening, detect vulnerable software, and validate configuration policies on a monitored endpoint. We utilize SCA to check the presence of RedLine Infostealer artifacts in the C:\Windows\System32\drivers\etc\hosts file and C:\Users\<USERNAME>\AppData\Local\Temp\ folder. We also check for the creation of a malicious scheduled task. 

Victim endpoint

1. Launch PowerShell with administrative privilege, and create a folder to hold custom SCA policy files:

New-Item -Path 'C:\Program Files (x86)\sca_policies' -ItemType Directory

Note

Custom SCA policy files created inside the default Wazuh ruleset folder are not kept across upgrades. Hence, the C:\Program Files (x86)\sca_policies folder is created outside the Wazuh agent installation folder.

2. Create a new policy file in the sca_policies folder:

New-Item -Path 'C:\Program Files (x86)\sca_policies\redline_infostealer.yml' -ItemType File

3. Add the following content to the C:\Program Files (x86)\sca_policies\redline_infostealer_check.yml file.

policy:
  id: "RedLine_infostealer"
  file: "redLine_infostealer.yml"
  name: "RedLine infostealer Windows OS check"
  description: "Detecting RedLine infostealer"

requirements:
  title: "Checking RedLine infostealer on Windows based systems"
  description: "Requirements for running the audit policy under a Windows platform"
  condition: all
  rules:
    - 'r:HKEY_LOCAL_MACHINE\SAM\SAM'

checks:
  - id: 99000
    title: "Checking for Possible RedLine infostealer artifacts in AppData folder"
    description: "Check for RedLine infostealer artifacts in AppData folder."
    condition: all
    rules:
      - 'not f:C:\Users\<USERNAME>\AppData\Local\Temp\C4Loader.exe'
      - 'not f:C:\Users\<USERNAME>\AppData\Local\Temp\new2.exe'
      - 'not f:C:\Users\<USERNAME>\AppData\Local\Temp\SysApp.exe'
      - 'not f:C:\Users\<USERNAME>\AppData\Local\Temp\SmartDefRun.exe'
      - 'not f:C:\Users\<USERNAME>\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe'

  - id: 99001
    title: "Checking for Possible RedLine infostealer persistence in Task Scheduler"
    description: "Check for Possible RedLine infostealer persistence in Task Scheduler."
    condition: all
    rules:
      - 'c:schtasks /query /tn "Telemetry Logging" -> Telemetry Logging'

  - id: 99002
    title: "Checking for RedLine infostealer artifacts"
    description: "Antimalware websites found in Windows hosts file."
    condition: all
    rules:
      - not f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:avast.com|mcafee.com;
      - not f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:bitdefender.com|us.norton.com;
      - not f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:avg.com|malwarebytes.com;
      - not f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:avira.com|norton.com;
      - not f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:eset.com|microsoft.com;
      - not f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:kaspersky.com|usa.kaspersky.com;
      - not f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:sophos.com|clamav.net;
      - not f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:drweb.com|f-secure.com;
      - not f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:trendmicro.com|virustotal.com;

Note

Replace <USERNAME> with the username of the logged-in user.

4. Edit the Wazuh agent C:\Program Files (x86)\ossec-agent\ossec.conf file and include the following configuration within the <sca> block:

<policies>
    <policy>C:\Program Files (x86)\sca_policies\redline_infostealer.yml</policy>
 </policies>

5. Restart the Wazuh agent for the changes to take effect:

Restart-Service -Name WazuhSvc

The screenshot below shows the SCA alerts generated on the Wazuh dashboard.

security configuration assessment

Conclusion

This blog post demonstrates how to detect RedLine Infostealer using Wazuh. We illustrated how to use Sysmon integration with custom detection rules and security configuration assessment module to detect RedLine Infostealer and its malicious activities.

Reference