Cyber safety analysts at ESET have launched an in-depth have a look at the internal workings of the RedLine Stealer operation and its clone, often called Meta, within the wake of a Dutch-led operation that noticed the cyber prison empire laid low.
Operation Magnus noticed the Dutch Nationwide Police power, working with European Union assist and different businesses together with the FBI and the UK’s Nationwide Crime Company (NCA), dismantle the notorious infostealers’ infrastructure.
The motion was the fruits of a prolonged investigation to which ESET – which initially notified the authorities within the Netherlands that a few of the malwares’ infrastructure was being hosted of their jurisdiction – was a key contributor, participating in a preliminary operation final yr that focused the gang’s means to make use of GitHub repositories as a “dead-drop” management mechanism.
In an in depth file, ESET mentioned that having carried out an in depth evaluation of the malwares’ supply code and backend infrastructure within the run-up to Operation Magnus, it was now capable of affirm with certainty that each Redline and Meta did certainly share the identical creator, and recognized effectively over 1,000 distinctive IP addresses that had been used to manage the operation.
“We had been capable of determine over 1,000 distinctive IP addresses used to host RedLine management panels,” mentioned ESET researcher Alexandre Côté Cyr.
“Whereas there could also be some overlap, this implies on the order of 1,000 of subscribers to the RedLine MaaS [malware as a service],” he added.
“The 2023 variations of RedLine Stealer ESET investigated intimately used the Home windows Communication Framework for communication between the elements, whereas the most recent model from 2024 makes use of a REST API.”
World operation
The IP addresses discovered by ESET had been dispersed globally, though largely in Germany, the Netherlands and Russia, all accounting for about 20% of the overall. Roughly 10% had been positioned in Finland and the US.
ESET’s investigation additionally recognized a number of distinct backend servers, with about 33% in Russia, and Czechia, the Netherlands and the UK all accounting for about 15%.
What was RedLine Stealer?
Finally, the objective of the RedLine and Meta operations was to reap huge quantities of information from its victims, together with info on cryptocurrency wallets, bank card particulars, saved credentials, and information from platforms together with desktop VPNs, Discord, Telegram and Steam.
The operators’ purchasers purchased entry to the product, described by ESET in company phrases as a “turnkey infostealer resolution”, by way of numerous on-line boards or Telegram channels. They might choose both a month-to-month rolling subscription or a lifetime licence, and in trade for his or her cash acquired a management panel to generate malware samples and act as a private command and management server.
“Utilizing a ready-made resolution makes it simpler for the associates to combine RedLine Stealer into bigger campaigns,” mentioned Côté Cyr. “Some notable examples embrace posing as free downloads of ChatGPT in 2023 and masquerading as online game cheats within the first half of 2024.”
At its peak, previous to the takedown, RedLine was in all probability essentially the most widespread infostealer in operation, with a relatively massive variety of associates. Nonetheless, mentioned ESET, the MaaS enterprise was doubtless orchestrated by a really small variety of individuals.
Crucially, the creator of the malwares, named as Maxim Rudometov, has been recognized and charged within the US.
