BOOK THIS SPACE FOR AD
ARTICLE ADProtect your data from cyber threats: Learn about RedLine, Vidar, and FormBook infostealers, their tactics, and how ANY.RUN’s sandbox helps analyze and expose malware attacks.
Users’ data is the most valuable asset to cybercriminals. To target it, they use infostealers. According to ANY.RUN’s Q2 2024 Malware Trends report, infostealers were among the top four global threats. Organizations must understand how the most common infostealer families operate and have proper analysis tools to expose such attacks.
RedLine
RedLine has been a prominent infostealer threat since 2020 when it was extensively used in COVID-19-related attacks. This malware targets information from browsers, system settings, instant messaging applications, and file transfer protocol clients.
RedLine’s capabilities include uploading and downloading files, executing commands, and reporting details about the infected machine. Attackers can utilize RedLine to deliver ransomware, Remote Access Trojans (RATs), trojans, and cryptocurrency miners.
Social engineering tactics are commonly employed to spread RedLine through various email campaigns, including business email compromise, spam, fake updates, and malicious ads in Google search results. These campaigns often result in malicious attachments or links, with a wide variety of file formats such as Office documents, PDFs, RAR and ZIP files, executable files, and JavaScript files.
Analysis of a Redline infostealer attack
To observe how a Redline infection unfolds, a sample of this malware can be uploaded to a malware sandbox like ANY.RUN. The sandbox environment lets us trace the entire attack chain, starting from the initial phishing email or file-sharing website.
Redline analyzed in ANY.RUN
Above, we have a sandbox session with an analysis of an executable file. After launching it, the sandbox immediately begins to log malicious activities performed by the software, including stealing browser credentials and C2 communication.
Sandbox shows how Redline uses MSBuild.exe to conduct its activities
Thanks to the integration of Suricata rules, the sandbox also identifies all the malicious network traffic related to the threat.
A triggered Suricata rule used for Redline stealer detection
Once the analysis is finished, we can collect a detailed report on the sample along with quality indicators of compromise.
Create your free ANY.RUN account.
Vidar
Vidar is an information-stealing malware that has evolved from another trojan, Arkei. Purchasing an account grants the attacker access to a control panel where they can configure the infostealer malware to target specific information on the victim’s PC. Vidar can steal text files in multiple formats, browser cookies and history, browser records, and autofill value information, such as banking and credit card details.
Vidar can also extract cryptocurrency wallet information, take screenshots, and act as a message stealer, recording private messages from various software applications. Attackers can leverage Vidar infections and data exfiltration via Telegram bots.
Analysis of a Vidar infostealer attack
Moving on to the analysis of a Vidar sample in a sandbox, we can instantly spot its data-stealing activity.
After execution, Vidar begins pulling credentials from web browsers
Another notable characteristic of this sample is the use of the Dead Drop Resolver (DDR) technique when a legitimate service is used by attackers to communicate with the infected host.
In this case, Vidar is using a Steam account.
The Suricata rule is used to identify the DDR technique
After exposing the file as malicious, we can navigate to the Config report to access indicators of compromise (IOCs) extracted from Vidar’s code.
Vidar config in ANY.RUN – Here, we can see the Steam URL used by the malware.
FormBook
FormBook is an infostealer trojan available as a malware-as-service, often used by attackers with low technical literacy and little programming knowledge. Active since 2016, FormBook became particularly widespread during the pandemic and continues to be a prominent threat in 2024. It is distributed as a malware-as-service and can be purchased by anyone for as little as $30.
Unlike more advanced malware like RedLine, which can also drop other malware, FormBook focuses solely on exfiltrating data from infected machines. This includes cached browser credentials, data from applications, keystrokes, and clipboard contents.
Analysis of a FormBook Infostealer Attack
Formbook sample analysis reveals several important details. The sandbox highlights how the malware achieves persistence on the system by changing the autorun value in the registry.
Formbook begins stealing personal data
For public analyses, we can also access an AI-generated report on the Formbook’s activities registered during the sample’s execution.
The AI report summarizes and describes the actions performed by the sample
Once we analyze all the important events during the infection process, we can download a report on the sample.
The report gives an overview of the sample’s malicious behaviour and IOCs
Try ANY.RUN Sandbox for free
To analyze your samples of malware and phishing threats in Windows 10 x64 and Linux VMs, you can create a free ANY.RUN the account using your business email.
This cloud sandbox lets you interact with files, URLs, and the system just like on a standard computer, including downloading and opening attachments, solving CAPTCHA, and even rebooting the whole system.
You can try the advanced features of ANY.RUN with a 14-day free trial that offers private mode, Windows 11, and Teamwork features, by requesting it on ANY.RUN’s official website.