Threat Signal Report

Widespread Redlnk Malware Hides Its Code In .NET Metadata

description-logo Description

FortiGuard Labs has found an active and widespread attack campaign that distributes a malware it dubs "RedInk", using the RegAsm.exe LOLBIN for execution and sandbox Evasion. The attack is carried out in three stages, in which the final stage, acting as both Remote Access Trojan (RAT) and botnet component, is installed on the victim's machine.


Why is this Significant?

This is significant because FortiGuard Labs observed widespread distribution of Redlnk malware in an ongoing campaign. The final payload observed is a Remote Access Trojan (RAT) that enables a remote attacker to take control of the victim's machine.



How Widespread is the Campaign?

We have observed more than 3,600 unique samples of the first stage, with new samples being constantly served to evade detection from security solutions. FortiGuard Labs observed Redlnk malware distributed to Canada, Australia, the UK, and Japan.



How does the Attack Work?

While the initial infection vector has not been found, FortiGuard Labs observed the first stage malware samples were downloaded from the internet.


The campaign's first stage is a 6 KB small .NET loader, manipulated to be able to run properly only using Regasm.exe. Some of the samples of the first stage found (from 3600 in total) hide part of the crucial malicious logic inside the metadata of the file:



By using this way, the base64 encoded data isn't part of the .NET strings of the file and enables the attacker to partially evade detection.


The aforementioned samples are compiling the following code at runtime (decoded from the "AssemblyDescription" base64) in order to download the next payload:


The next stage we observed, called "loader.dll" by the attackers, is mainly used to kill the previous stage and load the next stage, encrypted, using a randomly generated AES key, from the server.


The third stage, called "client.core" is a fully fledged malicious toolkit, functioning as both RAT and botnet component, able to install VNC on the victim to enable remote control of the computer by the attacker.



Why Can only Regasm.exe Run the Redlnk Malware?

RedInk doesn't have a standard DLL entry point, but rather a "ComUnregisterFunction", which rundll does not call, but RegAsm (T1218.009) does. This technique is useful both for sandbox evasion (T1497) and to bypass application control (UAC - T1548.002).



What is the Status of Coverage?

FortiGuard Labs provides the following AV coverage against the malware samples used in the campaign:


MSIL/Cerbu.CA89!tr

MSIL/Dropper.E5B0!tr

MSIL/GenericKDZ.5CA8!tr

MSIL/Tedy.1448!tr

W32/Dloader.X!tr

W32/PossibleThreat

MSIL/Asbit.C!tr


All network IOCs associated with this attack are blocked by the WebFiltering client.


FortiEDR blocks the first stage of RedInk upon the initiation of a network connection:


FortiEDR Threat Hunting customers can additionally query for it using the following query:


Source.Process.Name:Regasm.exe AND Source.Process.CommandLine:*.txt*

Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.