The Dutch National Police, along with international partners, have announced the disruption of the infrastructure powering two information stealers tracked as RedLine and MetaStealer.
The takedown, which took place on October 28, 2024, is the result of an international law enforcement task force codenamed Operation Magnus that involved authorities from the U.S., the U.K., Belgium, Portugal, and Australia.
Eurojust, in a statement published today, said the operation led to the shut down of three servers in the Netherlands and the confiscation of two domains (fivto[.]online and spasshik[.]xyz). In total, over 1,200 servers in dozens of countries are estimated to have been used to run the malware.
As part of the efforts, one administrator has been charged by the U.S. authorities and two people have been arrested by the Belgian police, the Politie said, adding one of them has since been released, while the other remains in custody.
The U.S. Department of Justice (DoJ) has charged Maxim Rudometov, one of the RedLine Stealer's developers and administrators, with access device fraud, conspiracy to commit computer intrusion, and money laundering. If convicted, the Russian national faces a maximum penalty of 35 years in prison.
"Rudometov regularly accessed and managed the infrastructure of RedLine Infostealer, was associated with various cryptocurrency accounts used to receive and launder payments and was in possession of RedLine malware," the DoJ said.
Unsealed court documents show a series of operational security blunders that led the investigators to Rudometov, with an authorized search of the Apple iCloud Drive account associated with his Yandex email address uncovering numerous files identified as malware, including a RAR archive that corresponded to RedLine.
Further analysis of the RedLine licensing server revealed an IP address that was also "logged by Apple as having been used to interact with the iCloud account attributed to Rudometov." The IP address is said to have been used approximately 701 times to access or interact with the iCloud account in July 2021 alone.
Investigation into the technical infrastructure of the information stealers began a year ago based on a tip from cybersecurity company ESET that the servers are located in the Netherlands.
Among the data seized included usernames, passwords, IP addresses, timestamps, registration dates, and the source code of both the stealer malware. In tandem, several Telegram accounts associated with the stealer malware have been taken offline. Further investigation into their customers is ongoing.
"The infostealers RedLine and MetaStealer were offered to customers via these groups," Dutch law enforcement officials said. "Until recently, Telegram was a service where criminals felt untouchable and anonymous. This action has shown that this is no longer the case."
It's worth noting that the MetaStealer family dismantled as part of Operation Magnus is different from the MetaStealer malware that's known to target macOS devices.
Information stealers such as RedLine and MetaStealer are crucial cogs in the cybercrime wheel, allowing threat actors to siphon credentials and other sensitive information that could then be sold off to other threat actors for follow-on attacks like ransomware.
Stealers are typically distributed under a malware-as-a-service (MaaS) model, meaning the core developers rent access to the tools to other cybercriminals either on a subscription basis or for a lifetime license.
ESET Shared Details on RedLine Backend
Slovak cybersecurity company ESET said it identified over 1,000 unique IP addresses that were used to host RedLine control panels, and that the malware and MetaStealer (aka META) share the same creator.
"RedLine operates on a MaaS model in which anyone can buy a turnkey infostealer solution from various online forums and Telegram channels," ESET researcher Alexandre Côté Cyr said. "Clients, called affiliates, can opt for a monthly subscription, or a lifetime license; in exchange for their money, they get a control panel that generates malware samples and acts as a C&C server for them."
The control panel, offered for sale forums and Telegram channels for $150 per month or $900 for a lifetime license, requires users to login, with the malware authors using GitHub, Pastebin, and later their own domains as dead-drop resolvers for extracting the actual authentication server.
It also enables customers to configure a Telegram bot to post stolen data to specific chats or a channel by providing a valid API token for the bot. Another notable feature of the panel is a "Black Lists" tab that allows affiliates to ignore incoming data by certain parameters, such as country, IP address, and HWID.
(The story was updated after publication on November 11, 2024, to include information about the RedLine control panel.)
