Analysis of Top Infostealers: Redline, Vidar and Formbook


Protect your data from cyber threats: Learn about RedLine, Vidar, and FormBook infostealers, their tactics, and how ANY.RUN’s sandbox helps analyze and expose malware attacks.

Users’ data is the most valuable asset to cybercriminals. To target it, they use infostealers. According to ANY.RUN’s Q2 2024 Malware Trends report, infostealers were among the top four global threats. Organizations must understand how the most common infostealer families operate and have proper analysis tools to expose such attacks.

RedLine

RedLine has been a prominent infostealer threat since 2020 when it was extensively used in COVID-19-related attacks. This malware targets information from browsers, system settings, instant messaging applications, and file transfer protocol clients.

RedLine’s capabilities include uploading and downloading files, executing commands, and reporting details about the infected machine. Attackers can utilize RedLine to deliver ransomware, Remote Access Trojans (RATs), trojans, and cryptocurrency miners.

Social engineering tactics are commonly employed to spread RedLine through various email campaigns, including business email compromise, spam, fake updates, and malicious ads in Google search results. These campaigns often result in malicious attachments or links, with a wide variety of file formats such as Office documents, PDFs, RAR and ZIP files, executable files, and JavaScript files.

Analysis of a Redline infostealer attack

To observe how a Redline infection unfolds, a sample of this malware can be uploaded to a malware sandbox like ANY.RUN. The sandbox environment lets us trace the entire attack chain, starting from the initial phishing email or file-sharing website.

Redline analyzed in ANY.RUN

Above, we have a sandbox session with an analysis of an executable file. After launching it, the sandbox immediately begins to log malicious activities performed by the software, including stealing browser credentials and C2 communication.

Analysis of Top Infostealers: Redline, Vidar and Formbook

Sandbox shows how Redline uses MSBuild.exe to conduct its activities

Thanks to the integration of Suricata rules, the sandbox also identifies all the malicious network traffic related to the threat.

Analysis of Top Infostealers: Redline, Vidar and Formbook

A triggered Suricata rule used for Redline stealer detection 

Once the analysis is finished, we can collect a detailed report on the sample along with quality indicators of compromise.

Create your free ANY.RUN account.

Vidar

Vidar is an information-stealing malware that has evolved from another trojan, Arkei. Purchasing an account grants the attacker access to a control panel where they can configure the infostealer malware to target specific information on the victim’s PC. Vidar can steal text files in multiple formats, browser cookies and history, browser records, and autofill value information, such as banking and credit card details.

Vidar can also extract cryptocurrency wallet information, take screenshots, and act as a message stealer, recording private messages from various software applications. Attackers can leverage Vidar infections and data exfiltration via Telegram bots.

Analysis of a Vidar infostealer attack

Moving on to the analysis of a Vidar sample in a sandbox, we can instantly spot its data-stealing activity. 

Analysis of Top Infostealers: Redline, Vidar and Formbook

After execution, Vidar begins pulling credentials from web browsers

Another notable characteristic of this sample is the use of the Dead Drop Resolver (DDR) technique when a legitimate service is used by attackers to communicate with the infected host. 

In this case, Vidar is using a Steam account.

Analysis of Top Infostealers: Redline, Vidar and Formbook

The Suricata rule is used to identify the DDR technique

After exposing the file as malicious, we can navigate to the Config report to access indicators of compromise (IOCs) extracted from Vidar’s code.

Analysis of Top Infostealers: Redline, Vidar and Formbook

Vidar config in ANY.RUN – Here, we can see the Steam URL used by the malware. 

FormBook

FormBook is an infostealer trojan available as a malware-as-service, often used by attackers with low technical literacy and little programming knowledge. Active since 2016, FormBook became particularly widespread during the pandemic and continues to be a prominent threat in 2024. It is distributed as a malware-as-service and can be purchased by anyone for as little as $30.

Unlike more advanced malware like RedLine, which can also drop other malware, FormBook focuses solely on exfiltrating data from infected machines. This includes cached browser credentials, data from applications, keystrokes, and clipboard contents.

Analysis of a FormBook Infostealer Attack

Formbook sample analysis reveals several important details. The sandbox highlights how the malware achieves persistence on the system by changing the autorun value in the registry.

Analysis of Top Infostealers: Redline, Vidar and Formbook

Formbook begins stealing personal data

For public analyses, we can also access an AI-generated report on the Formbook’s activities registered during the sample’s execution.

Analysis of Top Infostealers: Redline, Vidar and Formbook

The AI report summarizes and describes the actions performed by the sample

Once we analyze all the important events during the infection process, we can download a report on the sample.

Analysis of Top Infostealers: Redline, Vidar and Formbook

The report gives an overview of the sample’s malicious behaviour and IOCs

Try ANY.RUN Sandbox for free

To analyze your samples of malware and phishing threats in Windows 10 x64 and Linux VMs, you can create a free ANY.RUN the account using your business email.

This cloud sandbox lets you interact with files, URLs, and the system just like on a standard computer, including downloading and opening attachments, solving CAPTCHA, and even rebooting the whole system.

You can try the advanced features of ANY.RUN with a 14-day free trial that offers private mode, Windows 11, and Teamwork features, by requesting it on ANY.RUN’s official website.

  1. VirusTotal Reveals Apps Most Exploited To Spread Malware
  2. Konni RAT Exploiting Word Docs to Steal Data from Windows
  3. Arid Viper’s AridSpy Trojan Hits Android Users in Palestine, Egypt
  4. Criminal IP Start Fraud Detection Products on Snowflake Marketplace
  5. LummaC2 v4.0 Steals Data with Trigonometry to Detect Human Users





Source link