Widespread Redlnk Malware Hides Its Code In .NET Metadata

Description

FortiGuard Labs has found an active and widespread attack campaign that distributes a malware it dubs "RedInk", using the RegAsm.exe LOLBIN for execution and sandbox Evasion. The attack is carried out in three stages, in which the final stage, acting as both Remote Access Trojan (RAT) and botnet component, is installed on the victim's machine.


Why is this Significant?

This is significant because FortiGuard Labs observed widespread distribution of Redlnk malware in an ongoing campaign. The final payload observed is a Remote Access Trojan (RAT) that enables a remote attacker to take control of the victim's machine.



How Widespread is the Campaign?

We have observed more than 3,600 unique samples of the first stage, with new samples being constantly served to evade detection from security solutions. FortiGuard Labs observed Redlnk malware distributed to Canada, Australia, the UK, and Japan.



How does the Attack Work?

While the initial infection vector has not been found, FortiGuard Labs observed the first stage malware samples were downloaded from the internet.


The campaign's first stage is a 6 KB small .NET loader, manipulated to be able to run properly only using Regasm.exe. Some of the samples of the first stage found (from 3600 in total) hide part of the crucial malicious logic inside the metadata of the file:



By using this way, the base64 encoded data isn't part of the .NET strings of the file and enables the attacker to partially evade detection.


The aforementioned samples are compiling the following code at runtime (decoded from the "AssemblyDescription" base64) in order to download the next payload:


The next stage we observed, called "loader.dll" by the attackers, is mainly used to kill the previous stage and load the next stage, encrypted, using a randomly generated AES key, from the server.


The third stage, called "client.core" is a fully fledged malicious toolkit, functioning as both RAT and botnet component, able to install VNC on the victim to enable remote control of the computer by the attacker.



Why Can only Regasm.exe Run the Redlnk Malware?

RedInk doesn't have a standard DLL entry point, but rather a "ComUnregisterFunction", which rundll does not call, but RegAsm (T1218.009) does. This technique is useful both for sandbox evasion (T1497) and to bypass application control (UAC - T1548.002).



What is the Status of Coverage?

FortiGuard Labs provides the following AV coverage against the malware samples used in the campaign:


• MSIL/Cerbu.CA89!tr

• MSIL/Dropper.E5B0!tr

• MSIL/GenericKDZ.5CA8!tr

• MSIL/Tedy.1448!tr

• W32/Dloader.X!tr

• W32/PossibleThreat

• MSIL/Asbit.C!tr


All network IOCs associated with this attack are blocked by the WebFiltering client.


FortiEDR blocks the first stage of RedInk upon the initiation of a network connection:


FortiEDR Threat Hunting customers can additionally query for it using the following query:


Source.Process.Name:Regasm.exe AND Source.Process.CommandLine:*.txt*