Cyber security analysts in ESET They have released an in-depth look at the inner workings of Operation RedLine Stealer and its clone, known as Meta, following the Dutch-led operation that saw the cybercrime empire collapse.
Operation Magnus saw the Dutch National Police Force, operating with the support of the European Union and other agencies including the FBI and the UK’s National Crime Agency (NCA), dismantle the notorious information theft infrastructure.
The action was the culmination of a lengthy investigation by ESET – which initially informed authorities in the Netherlands that some Malware The infrastructure was hosted in their jurisdiction — and he was a major contributor, participating in a bootleg last year that targeted the gang’s ability to use GitHub repositories as a “dead” control mechanism.
In a comprehensive filing, ESET said that after conducting a comprehensive analysis of the malware’s source code and backend infrastructure in the lead-up to Operation Magnus, it is now able to confirm with certainty that both Redline and Meta indeed share the same creator. , and identified more than 1,000 unique IP addresses that were used to control the process.
“We were able to identify more than 1,000 unique IP addresses used to host RedLine control panels,” said Alexandre Côté-Serre, a researcher at ESET.
“Although there may be some overlap, this indicates there are 1,000 RedLine MaaS subscribers [malware as a service]He added.
“The 2023 versions of RedLine Stealer ESET investigated in detail use the Windows Communication framework for communication between components, while the newer 2024 version uses the REST API.”
Global process
The IP addresses found by ESET were spread globally, although most were in Germany, the Netherlands and Russia, all representing around 20% of the total. Approximately 10% were located in Finland and the United States.
ESET’s investigation also identified several distinct backend servers, with around 33% in Russia, and the Czech Republic, Netherlands and UK accounting for around 15%.
What is RedLine Stealer?
Ultimately, the goal of the RedLine and Meta operations was to collect massive amounts of data from their victims, including information on cryptocurrency wallets, credit card details, saved credentials, and data from platforms including desktop VPNs, Discord, Telegram, And Steam.
Customers of the operators purchased access to the product, which ESET described in company terms as a “complete information theft solution,” through various online forums or Telegram channels. They can choose either a recurring monthly subscription or a lifetime license, and in exchange for their money they get a control panel to create malware samples and act as a personal command and control server.
“Using an off-the-shelf solution makes it easier for affiliates to integrate RedLine Stealer into larger campaigns,” said Côté Cyr. “Some notable examples include pretending to be free downloads for ChatGPT in 2023 and masquerading as video game cheats in the first half of 2024.”
At its peak, before takedown, RedLine was perhaps the most widespread information theft program, with a relatively large number of affiliates. However, the MaaS project was likely organized by a very small number of people, ESET said.
More importantly, the creator of the malware, named Maxim Rodometov, He was identified and charged in the United States.
