RedTiger: New Red Teaming Tool in the Wild Targeting Gamers and Discord Accounts

Summary

Gamers are a hot target for infostealers these days. This blog post is the second we have published this month about an infostealer targeting gamers, with the previous one describing a Python-based malware targeting Discord. This blog post focuses on RedTiger, a red-teaming tool from which we have seen multiple payloads circulating in the wild.

Released to the public in 2024, RedTiger is a relatively new, open-source, Python-based read teaming tool that bundles various security and penetration testing tools, including network scanning, open source intelligence (OSINT) tools, phishing-related toolkits, an infostealer, and Discord-related tools. As is often the case with red-team tools, attackers usually adopt them and use them for malicious purposes. For example, the very popular C2 framework Cobalt Strike has long been cracked and abused by attackers who like its highly customizable feature set. While RedTiger offers multiple separate tools, this post will focus exclusively on the infostealer.

The RedTiger infostealer targets various types of sensitive information, with a primary focus on Discord accounts. It injects custom JavaScript into the Discord client to intercept events. Additionally, it collects browser-stored data (including payment information), game-related files, cryptocurrency wallet data, and screenshots from the host system. It can also spy through the victim’s webcam and overload storage devices by mass-spawning processes and creating files. It also provides various defense evasion techniques and persistence mechanisms. Based on sample filenames and some custom messages, attackers are targeting gamers, with certain samples indicating a possible focus on French-speaking users.

Key Findings

• RedTiger infostealer is a new, open-source red teaming tool, with payloads now appearing in the wild and more variants expected.
• Its exfiltration occurs in two stages: Archived stolen files are first uploaded to GoFile cloud storage, then the download link is sent to the attacker via a Discord webhook.
• Based on filenames and display messages, the attackers are targeting gamers, with some samples targeting French-speaking users.

RedTiger infostealer in the wild

All RedTiger infostealer samples observed in the wild were distributed as binaries compiled with PyInstaller. The samples’ filenames suggest a primary focus on gaming users, and several samples include warning messages in French, indicating that some samples are targeting French-speaking victims.

The RedTiger infostealer is modular, so the various samples use different features and target multiple types of data. In the samples analyzed, the malware focused on Discord data, browser-stored credentials and payment information, cryptocurrency wallets, and game accounts like Roblox.

Let’s take a closer look at how RedTiger Stealer operates.

Persistence

The persistence mechanism is available on Windows, Linux, and Darwin (macOS) systems, but must be enabled as an attacker builds the RedTiger infostealer. On Windows, it adds the payload to the startup folder to run at login. Persistence on Linux and Darwin is incomplete. On Linux, it copies the Python script to the autostart folder, but still needs a .desktop file to execute it. On Darwin, it copies the script to the LaunchAgents folder, but a .plist config file is required to run it at login. Neither file is included in the script.

Exfiltration

The RedTiger infostealer exfiltrates data in two stages. First, it archives all stolen data from the victim and uploads it to GoFile cloud storage. GoFile allows users to upload files without an account, enabling easy and anonymous use of cloud storage. After uploading, a download link is generated and sent to the attacker through Discord via a webhook. Additionally, it also sends victim details such as IP address, country, and hostname to identify the source of the stolen data.

File and process spamming

Another feature of this infostealer is mass file and process spamming, which can overload system resources and hinder forensic analysis by flooding the timeline with meaningless artifacts.

The infostealer creates 100 files with random file extensions from a predefined list. It writes random alphanumeric strings into each file, resulting in unpredictable file sizes. It spawns a new thread for each file creation and waits for all threads to complete, ensuring the process is fully carried out. 

For process spamming, the infostealer launches 100 threads. Each thread executes a loop that launches one instance of every program on the predefined list, resulting in 400 total processes being launched simultaneously across the system. 

Defense evasion features

The infostealer’s defense evasion features terminate its process if it detects usernames, hostnames, or hardware IDs from a predefined list typically associated with sandbox environments.

Additionally, the infostealer modifies the hosts file to redirect DNS requests for specific security vendor domains to localhost, effectively blocking access to those vendors.

Data targeted by RedTiger

The sections below describe the data targeted by RedTiger and the techniques used to collect them.

Sensitive Discord information, through app modification

Among the information that RedTiger targets is Discord account and payment information. It starts by defining two regular expressions to capture both plain and encrypted Discord tokens. It will then locate the database files (*.log and *ldb) of Discord or browser applications, terminate the process, and then search for the Discord token using the regular expressions.

Once it collects the Discord token, it will run a function used to validate the token. It does so by sending a GET request to the Discord API endpoint /users/@me, which returns True if the Discord API returns 200 HTTP status.

Once the Discord tokens are validated, it will send another GET request to the same API endpoint, and collect several details including username, global displayname, user ID, email and verification status and MFA setting, and subscription level.

The RedTiger infostealer then proceeds to siphon the victim’s banking information saved in Discord. This includes bank payment information, PayPal account, and promotion codes. It does so by sending a GET request to Discord’s API endpoint using the stolen token.

Lastly, the infostealer injects a custom JavaScript into Discord’s client index.js file (discord_desktop_core) to monitor and intercept Discord traffic. It intercepts API calls to Discord, Braintree, and Stripe and inspects the data sent for event-specific keywords to selectively capture traffic. It monitors several activities, including payment information modification, purchases, login activities (including MFA), and downloading billing information.

Notably, one of the events monitored is changing the victim’s email address and password. This means that even if the victim changes their password, the infostealer will still grab the new credentials, along with the new Discord tokens.

The table below summarizes the endpoint and event that the infostealer is targeting.

Sensitive files

Another target of the RedTiger infostealer is a set of files in user profile directories that have filenames matching predefined keywords. It scans for files ending in .txt, .sql, or .zip. If the filename exactly matches one of the configured keywords, the file is added to a ZIP archive under the internal path Interesting Files with a randomized suffix to avoid name collisions.

Game and crypto wallet data

The RedTiger infostealer targets cryptocurrency wallets and game-related applications. It attempts to terminate associated processes to release locked files, copies the specified directories and files from a predefined list, records the original path in a path.txt file, and stores all collected data inside the archive under Session Files/<AppName>/Files/.

In addition to targeting other game-related applications, the infostealer has a separate function to steal Roblox account information stored in the browser. It uses the Python browser_cookie3 module to extract cookies for the “roblox.com” domain, then extracts info for GET requests to the “/mobileapi/userinfo” API endpoint to parse the data of interest.

Browser data and credit card information

Similar to the Python NodeStealer previously reported, RedTiger also targets information saved in the browser, including passwords, cookies, download and browsing history, credit card information, and extensions.

The RedTiger infostealer targets a wide range of browsers, including major browsers and some of their release channels. The distinction was made because the folder paths of release channels are different.

Webcam and screen capture

The RedTiger infostealer can capture both a webcam snapshot and a screenshot of the victim’s primary desktop screen. It uses the cv2 (OpenCV) module to access the default webcam, capture a single image, convert it from BGR to RGB, and release the camera so it will be available for use by other applications. For screenshots, it uses the Pillow (PIL) module’s ImageGrab().grab function to capture the desktop, compress the image, and save it as “Screenshot.png” directly into the ZIP archive, using the same in-memory buffer as the webcam image.

Netskope Detection

• Netskope Threat Protection
  • Win64.Trojan.RedTiger

• Netskope Advanced Threat Protection provides proactive coverage against this threat.
  • Gen.Detect.By.NSCloudSandbox.tr

Conclusions

The new, open-source RedTiger infostealer has recently emerged in the wild, primarily targeting victims’ Discord accounts, Roblox credentials, browser data (including cookies, passwords, and browsing history), and cryptocurrency wallet files. By uploading stolen data to GoFile cloud storage and sending download links via Discord webhook, RedTiger enables attackers to efficiently exfiltrate sensitive information while evading detection. Netskope Threat Labs will continue to monitor information stealers, including any developments related to the RedTiger infostealer. 

IOCs

All the IOCs and scripts related to this malware can be found in our GitHub repository.