App Review Antivirus vs RedLine Stealer malware Competition

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
Shadowra

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
damage is a possibility concerning time has passed.
Damage with stealers is caused about 20-30 seconds after execution from my long practice of playing with them, including on various emulation sites. They usually have a long sleep of about 10-15 seconds and then extract a copy of themselves somewhere (might be the startup folder in start menu, might be somewhere else). Once they do that, they will harvest the data. By the time you even type KVRT on Google, it’s already too late, let alone doing a full scan with it.

The test I performed is slightly different but still had plenty of rats and stealers.
 

cruelsister

Level 43
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,224
Damage with stealers is caused about 20-30 seconds after execution from my long practice of playing with them, including on various emulation sites. They usually have a long sleep of about 10-15 seconds and then extract a copy of themselves somewhere (might be the startup folder in start menu, might be somewhere else). Once they do that, they will harvest the data. By the time you even type KVRT on Google, it’s already too late, let alone doing a full scan with it.

The test I performed is slightly different but still had plenty of rats and stealers.
Although some stealers do have delayed starts and extended sleep functions, some are essentially instantaneous in data theft and transmission.
 

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
Although some stealers do have delayed starts and extended sleep functions, some are essentially instantaneous in data theft and transmission.
It depends on how the agent will he configured. Most of them are truly versatile and have various options. You can configure refresh rate for the event listener on RATs, sleeps, anti-termination options (such as on termination to cause BSOD) and many others. It all depends on what the customer (attacker) wants. Attackers who are more knowledgeable allow long sleeps to evade sandboxing and threat emulation — they still don’t know that long sleeps are ignored.
 

pvsurfer

Level 2
Verified
Oct 20, 2019
64
Even if Stealer malware avoids AV detection/cleaning, any theft can be prevented if firewall blocks 'non-whitelist' outbound connections. In that regard I find Malwarebytes' Windows Firewall Control (freeware) does a great job.
 

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
Even if Stealer malware avoids AV detection/cleaning, any theft can be prevented if firewall doesn't allow 'non-whitelist' outbound connections. In that regard I find Malwarebytes' Windows Firewall Control (freeware) does a great job.
It then depends on how the agent will be delivered. If it is injected in a benign LOTLbin such as aspnetcompiler, msbuild and many others, these are MS signed executables. It is unlikely that user will realise a stealer is trying to connect.

There is no 100% protection in any case. Even if Antivirus X on test Y has blocked more, attackers will go to great lengths to evade detection and they will, one way or another.
 
Last edited:

zkSnark

Level 5
Verified
Well-known
Jan 13, 2019
223
It then depends on how the agent will be delivered. If it is injected in a benign LOTLbin such as aspnetcompiler, msbuild and many others, these are MS signed executables. It is unlikely that user will realise a stealer is trying to connect.

There is no 100% protection in any case. Even if Antivirus X on test Y has blocked more, attackers will go to great lengths to evade detection and they will, one way or another.
So what is the most effective way for protection? Do you suggest any particular AV + other tools for at least 99.9% protection?
 
  • Like
Reactions: Trident

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
So what is the most effective way for protection? Do you suggest any particular AV + other tools?
No, I suggest that users are vigilant at all times and only work with a small set of trusted apps.

Below are the builders of 2 RATs, there are many others too.


IMG_1330.jpeg
IMG_1329.jpeg

Apart from the various config options there, the attackers have different ways of distributing them and this is where their true creativity gets unlocked. It could be presented as a crack, it could be as a shortcut, through weaponised documents, scripts and many others. Users should always observe, think and suspect — and avoid executing anything that looks suspicious.
 

ErzCrz

Level 23
Verified
Top Poster
Well-known
Aug 19, 2019
1,222
A little OT but quick CF question @cruelsister as I'm trialling using CF with MD or full CIS. Question is, do you get a lot of Edge firewall blocks to ports 25 & 1900? It only happens when i swap over to Proactive config but just wondering whether this was something to ignore? It didn't happen with Win 10

EDIT: Seems I was connected to the same network name but named (2) and (3) but not connected to the actual 192.168.0.1 router. Win 11 had set network profile as public so may be why CF detecting as network 192.168.0.17 with gateway 192.168.0.1. I think I'll ignore the 100s of log entries or create specific rules.

Love your vids.
 
Last edited:

cruelsister

Level 43
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,224
A little OT but quick CF question @cruelsister as I'm trialling using CF with MD or full CIS. Question is, do you get a lot of Edge firewall blocks to ports 25 & 1900? It only happens when i swap over to Proactive config but just wondering whether this was something to ignore? It didn't happen with Win 10

EDIT: Seems I was connected to the same network name but named (2) and (3) but not connected to the actual 192.168.0.1 router. Win 11 had set network profile as public so may be why CF detecting as network 192.168.0.17 with gateway 192.168.0.1. I think I'll ignore the 100s of log entries or create specific rules.

Love your vids.
Thank you! My suggestion is that you don't bother with the full CIS as you really do not need the manual scanning functionality of it and CF already has an on-access cloud AV.

As to Containing (sandboxing) Edge or any other browser, I personally don't do that myself as there is little point (as far as infection to the computer is concerned) in doing so as any infective mechanism is extrinsic to the browser, and not actually arising from it.
 

Shadowra

Level 37
Thread author
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,630
So what is the most effective way for protection? Do you suggest any particular AV + other tools for at least 99.9% protection?

A good antivirus, stay up to date (Windows, Java, risky software etc) and don't click anywhere.
No antivirus will protect you 100%.

No, I suggest that users are vigilant at all times and only work with a small set of trusted apps.

Below are the builders of 2 RATs, there are many others too.

The base of your 2 clients is the same which is njRAT (named Bladabindi by the antiviruses) which is an open-source RAT that can be modified at will.
But you are right about the rest, the attacker can check what he wants. RATs are a bit like the "poor man's botnet".
 

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
True. Bladabindi/njRAT/Ratenjay (Symantec) is one of the most commonly distributed RATs, originally developed by Houdini’s mate Naser Al Mutairi. Houdini (Mohamed Benabdellah) was mostly famous with his Dinihou and H-Worm which were worm+rat. They were spreading on a removable drive by replacing harmless files with a shortcut that both executed the file and in the same time delivered njRAT.

The tactic has since inspired many.

njRAT and its derivatives have remained “poor man affair” due to them widely being available cracked, but other RATs and stealers offer even more versatile configuration in the backend.

For example, this is Agent Tesla.
IMG_1332.jpeg

Vidar, njRat and Agent Tesla still account for a large proportion of the infections worldwide, as they provide low to no-cost way of stealing data.

 

ErzCrz

Level 23
Verified
Top Poster
Well-known
Aug 19, 2019
1,222
Thank you! My suggestion is that you don't bother with the full CIS as you really do not need the manual scanning functionality of it and CF already has an on-access cloud AV.

As to Containing (sandboxing) Edge or any other browser, I personally don't do that myself as there is little point (as far as infection to the computer is concerned) in doing so as any infective mechanism is extrinsic to the browser, and not actually arising from it.
Thank you! , working great and quietly protecting me using your config.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top