The Dutch Nationwide Police, together with worldwide companions, have introduced the disruption of the infrastructure powering two data stealers tracked as RedLine and MetaStealer.
The takedown, which happened on October 28, 2024, is the results of a world regulation enforcement process drive codenamed Operation Magnus that concerned authorities from the U.S., the U.Okay., Belgium, Portugal, and Australia.
Eurojust, in a assertion revealed as we speak, mentioned the operation led to the shut down of three servers within the Netherlands and the confiscation of two domains (fivto[.]on-line and spasshik[.]xyz). In whole, over 1,200 servers in dozens of nations are estimated to have been used to run the malware.
As a part of the efforts, one administrator has been charged by the U.S. authorities and two folks have been arrested by the Belgian police, the Politie mentioned, including certainly one of them has since been launched, whereas the opposite stays in custody.
The U.S. Division of Justice (DoJ) has charged Maxim Rudometov, one of many RedLine Stealer’s builders and directors, with entry machine fraud, conspiracy to commit pc intrusion, and cash laundering. If convicted, the Russian nationwide faces a most penalty of 35 years in jail.
“Rudometov often accessed and managed the infrastructure of RedLine Infostealer, was related to varied cryptocurrency accounts used to obtain and launder funds and was in possession of RedLine malware,” the DoJ mentioned.
Unsealed courtroom paperwork present a collection of operational safety blunders that led the investigators to Rudometov, with a licensed search of the Apple iCloud Drive account related together with his Yandex e mail addresses uncovering quite a few information recognized as malware, together with a RAR archive that corresponded to RedLine.
Additional evaluation of the RedLine licensing server revealed an IP tackle that was additionally “logged by Apple as having been used to work together with the iCloud account attributed to Rudometov.” The IP tackle is alleged to have been used roughly 701 occasions to entry or work together with the iCloud account in July 2021 alone.
Investigation into the technical infrastructure of the data stealers started a 12 months in the past primarily based on a tip from cybersecurity firm ESET that the servers are positioned within the Netherlands.
Among the many knowledge seized included usernames, passwords, IP addresses, timestamps, registration dates, and the supply code of each the stealer malware. In tandem, a number of Telegram accounts related to the stealer malware have been taken offline. Additional investigation into their clients is ongoing.
“The infostealers RedLine and MetaStealer have been supplied to clients through these teams,” Dutch regulation enforcement officers mentioned. “Till just lately, Telegram was a service the place criminals felt untouchable and nameless. This motion has proven that that is not the case.”
It is price noting that the MetaStealer household dismantled as a part of Operation Magnus is completely different from the MetaStealer malware that is recognized to focus on macOS units.
Info stealers similar to RedLine and MetaStealer are essential cogs within the cybercrime wheel, permitting risk actors to siphon credentials and different delicate data that might then be bought off to different risk actors for follow-on assaults like ransomware.
Stealers are sometimes distributed below a malware-as-a-service (MaaS) mannequin, which means the core builders lease entry to the instruments to different cybercriminals both on a subscription foundation or for a lifetime license.
