Analyzing RedLine C2 Communications
Added 2023-02-11 17:57:36 +0000 UTCRedLine does not use a standard HTTP scheme for its C2 communications. Instead it uses SOAP over WCF to creates a channel to the C2 to pass over the exfiltrated data.
Looking at a packet from a sandbox detonation of the malware in Wireshark we see that the malware will call out to the C2 and get the configuration for the malware that defines the software that it should steal from. The files and the locations that it should grab from and other settings like what chrome extensions to steal from. The malware will then exfiltrate its files over this communication channel making RedLine an interesting piece of malware.
