Netskope details RedTiger infostealer targeting gamers and Discord accounts

RedTiger, an open-source red-teaming tool released in 2024, has been increasingly observed in malicious campaigns targeting gamers, with a special focus on Discord accounts and other sensitive user data. This development holds importance for enterprise security teams as it represents a growing threat exploiting gaming platforms and popular communication tools to exfiltrate confidential information.

Research overview

RedTiger is a Python-based tool that combines multiple modules for network scanning, open source intelligence gathering, phishing, and notably an infostealer specifically designed to collect user credentials and payment information from gaming and communication applications. While developed initially for penetration testing, the tool has been adopted by threat actors for unauthorized data extraction.

Observed RedTiger infostealer samples are distributed as PyInstaller-compiled binaries with filenames suggesting targeting of gaming communities, including variants with French-language components indicating regional focus. The modular nature of the infostealer enables it to collect a range of data such as Discord credentials, browser-stored passwords and payment details, cryptocurrency wallet information, game account data, and system screenshots.

Technical breakdown

Persistence methods are implemented on Windows by adding the malware to the startup folder, while Linux and macOS variants are incomplete, requiring manual configuration files to achieve autostart functionality. Exfiltration of stolen data occurs in two phases: first, data is archived and uploaded to the GoFile cloud storage platform, which does not require user accounts, facilitating anonymous uploads. Second, the resulting download URL is sent to the attacker via a Discord webhook along with victim metadata like IP address and host details.

RedTiger employs file and process spamming techniques, creating multiple random files and launching numerous process instances to strain system resources and potentially obfuscate forensic investigation. The malware also incorporates defense evasion by terminating its process when detecting specific usernames, hostnames, or hardware Intrusion Detection System (IDS) associated with sandbox or analysis environments. Additionally, the hosts file is altered to redirect security vendor domains to the local host, blocking access to anti-malware resources.

Targeted data and collection methods

The infostealer extracts Discord tokens by searching for tokens both in plain text and encrypted formats within Discord and browser database files. It validates tokens via Discord's Application Programming Interface (API) and harvests account details including usernames, email addresses, multi-factor authentication settings, and financial information stored in Discord. Custom JavaScript is injected into Discord's client files to monitor activity including credential changes and capture related data dynamically during user interaction.

Besides Discord, RedTiger collects sensitive files matching predefined keywords in user directories, targets multiple browser profiles to extract stored passwords, cookies, credit card data, and browsing history across a wide range of browsers including major releases and developer channels. It also attempts to terminate processes locking files for game and cryptocurrency wallet data, then copies relevant directories and files before archiving them.

Webcam snapshots and desktop screenshots are taken using OpenCV and Pillow libraries to collect visual information from victims. These images are compressed and embedded with other stolen data in the archive prepared for exfiltration.

Operational impact

By leveraging cloud storage and Discord webhooks, RedTiger streamlines data extraction while complicating detection of network exfiltration. Its focus on gaming and communication platforms, wide browser coverage, and use of defensive evasion techniques present challenges to traditional security monitoring. The spamming behaviors and hosts file tampering impede incident response and analysis efforts.

Netskope detection capabilities

Netskope Threat Protection identifies RedTiger infections under detection signatures such as Win64.Trojan.RedTiger and Gen.Detect.By.NSCloudSandbox.tr. These detections enable identification and response to RedTiger activity within monitored environments.

Netskope Threat Labs continues to analyze the evolution of RedTiger and similar infostealers, aiming to provide updated threat intelligence and protection guidance.

This Blog Signals brief summarizes factual findings from the vendor blog post, outlining the operational characteristics, targeted data types, and detection mechanisms related to the RedTiger infostealer relevant to enterprise security professionals.