Cybersecurity analysts at ESET just released a detailed report on the RedLine Stealer operation and its clone, Meta. This comes after a Dutch-led initiative that significantly disrupted their cybercrime network.
Operation Magnus involved the Dutch National Police, with support from the European Union, the FBI, and the UK’s National Crime Agency. They dismantled the infamous infrastructure of these infostealers. This operation wrapped up a lengthy investigation where ESET played a vital role. They initially alerted Dutch authorities that some of the malware’s infrastructure was hosted there. Last year, ESET also targeted the gang’s use of GitHub repositories as a hidden control mechanism.
In their thorough analysis, ESET confirmed that RedLine and Meta share the same creator. They identified over 1,000 unique IP addresses associated with the operation. “We identified over 1,000 unique IP addresses used to host RedLine control panels,” said ESET researcher Alexandre Côté Cyr. He noted this implies around 1,000 subscribers to RedLine MaaS, or malware as a service. The 2023 versions of RedLine they examined utilized the Windows Communication Framework for communication, while the 2024 version switched to a REST API.
The IP addresses ESET uncovered were spread worldwide but mostly concentrated in Germany, the Netherlands, and Russia, each contributing about 20%. About 10% came from Finland and the US. They also found various backend servers, with around 33% located in Russia and significant portions in Czechia, the Netherlands, and the UK.
So, what exactly was RedLine Stealer? Its main goal was to steal extensive data from victims, including cryptocurrency wallet information, credit card details, saved credentials, and data from services like desktop VPNs, Discord, Telegram, and Steam. Clients could purchase access through online forums or Telegram channels, choosing between a monthly subscription or a lifetime license. In return, they got a control panel to create malware samples and their own command and control server.
“Using a ready-made solution simplifies integration of RedLine Stealer into larger campaigns,” Côté Cyr explained. Some notable scams included fake downloads of ChatGPT in 2023 and disguised video game cheats in early 2024. Before the takedown, RedLine was likely the most widespread infostealer, boasting a considerable number of affiliates. However, the operation was likely run by just a few individuals. Importantly, the malware’s creator, Maxim Rudometov, has been identified and charged in the US.