How Scammers Are Stealing Your Crypto With RedLine Malware?

SlowMist
5 min readSep 6, 2022

Background

We recently discovered that many users were attacked by phishing Trojans that cost the crypto community millions of dollars.

Scammers are currently soliciting victims to participate in beta testing and promote their projects. They will entice victims to download their malicious files by offering payment, discounts, and other means. Typically, scammers will contact victims through Discord or other messaging apps that can send a compressed file.

The file is generally an 800M exe file, once opened, it will scan your computer for files containing keywords such as “wallet” and send them to the attacker’s server so they can gain access to your funds.

Timeline

The earliest we’ve detected this scam appeared on August 1, 2022, under the project name “WinSomeNft”:

On August 21, 2022, another one was exposed under the project name “CthulhuWorldP2E”.

https://twitter.com/Estetshcrypto/status/1561290861652082689

Another update on August 30, 2022:

https://twitter.com/NiqisLucky/status/1564315179466166272

Then it appears again under the “idlemaster3d” project name.
Official website: https://idlemaster3d.com
DC: https://discord.gg/KFyqCdRRst

Although their Discord might seem normal, we suspect most of it was copied over from real discord accounts and majority of the members there were bots.

Currently the project is renamed Yoyo Game Ltd to continue the scam.

Analysis

What happened to Twitter user @BoxMrChen:

The name of the Trojan he encountered is: Master3DRPG_v3.5.3.zip, we use this Trojan file as an example to analyze:

The decompressed file: Master3DRPG_v3.5.3.exe, the size is 749.7 M. The normal Trojan files are not this big, so we use a text editor to view its content:

The reason why this file is so large is that it’s filled with a large number of 0000 empty files, which helps it evade antivirus software.

(Note: Most online antivirus software can analyze files up to 50 M, while PC antivirus software can analyze files up to 500M.)

We deleted all the 0000 files in batches and discovered the real malware, which is about 300KB.

We then decided to run this file in our VM and see what happens:

The malware scans for wallet-related information and uploads it to a remote C2 server. It is also disguised under the name Flash Player update packet program.

We used Microstep online analysis to analyze network behavior in Win7 64 bit:

This IP 77.73.134.5 was recently associated with multiple malicious phishing activities, all targeting users in the crypto community.

https://twitter.com/Iamdeadlyz/status/1562823487932100608

According to Iamdeadlyz, there were 24 accounts (including the main account) associated with this scam.

Upon closer inspection of this file, we can see that this was a RedLine Stealer family of malware.

https://bazaar.abuse.ch/sample/0cf542852fcec699b8c6be230e5b38daa7380479cace60f2a6d3a3fcd357b718/

So what exactly is the RedLine Stealer?

“RedLine Stealer is a malware available on underground forums for sale apparently as standalone or also on a subscription basis.

This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software.

More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.”

https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

The malware can filters for any files related to cryptocurrency or wallets.

Let’s look at how these work.

We reached out to see just how easy it was to purchase these malware. Right away we see a list of features and products.

SaaS-enabled services:

Select product:

Price of each product, etc:

Payment options:

There’s even terms and conditions:

Not only can this malware target files related to wallets but extension wallets such as:

MetaMask, YoroiWallet, TronLink, NiftyWallet, MathWallet, Coinbase, BinanceChain, BraveWallet, GuardaWallet, EqualWallet, JaxxxLiberty, BitAppWallet, iWallet, Wombat, AtomicWallet, MewCx, GuildWallet, SaturnWallet, RoninWallet.

Summary

As Web3 continues to expand, hacking groups and lone wolf hackers are increasingly targeting the crypto community. Malwares such as Redline also makes it easier for malicious actors to enter this space due to its low points of entry and ease of access. We strongly advise everyone to be cautious at all times, and remember that if something seems too good to be true, it usually is.

Additional Readings:
https://securityscorecard.com/research/detailed-analysis-redline-stealer
https://cyberint.com/blog/research/redline-stealer/
https://github.com/slowmist/Blockchain-dark-forest-selfguard-handbook/blob/main/README.md

--

--

SlowMist

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.