Connect with us

Tech News

ESET shines light on cyber criminal RedLine empire

Published

6 hours ago

on

ESET shines light on cyber criminal RedLine empire

Cyber security analysts at ESET have published a detailed analysis of the RedLine Stealer operation and its clone, Meta, following the dismantling of the cyber criminal empire in a Dutch-led operation.

Operation Magnus, carried out by the Dutch National Police force with support from the European Union, FBI, and UK’s National Crime Agency, successfully took down the infamous infostealers’ infrastructure.

ESET played a crucial role in the investigation, initially notifying Dutch authorities about the malwares’ infrastructure hosted in their jurisdiction. They also participated in a preliminary operation targeting the gang’s use of GitHub repositories as a control mechanism.

After analyzing the malwares’ source code and backend infrastructure, ESET confirmed that both RedLine and Meta were created by the same individual. They identified over 1,000 unique IP addresses used to control the operation.

According to ESET researcher Alexandre Côté Cyr, “We identified over 1,000 unique IP addresses hosting RedLine control panels, indicating a significant number of subscribers to the RedLine MaaS.”

ESET’s investigation revealed that the 2023 versions of RedLine Stealer used the Windows Communication Framework, while the latest version from 2024 utilizes a REST API for communication.

Global operation

ESET found that the IP addresses were spread globally, with a high concentration in Germany, the Netherlands, and Russia. Approximately 10% of the addresses were located in Finland and the US.

The investigation also uncovered multiple backend servers, with a significant portion in Russia, and others in Czechia, the Netherlands, and the UK.

What was RedLine Stealer?

The primary objective of RedLine and Meta operations was to gather extensive data from victims, including cryptocurrency wallets, credit card details, saved credentials, and information from platforms like desktop VPNs, Discord, Telegram, and Steam.

See also  Chinese spies target vulnerable home office kit to run cyber attacks

Operators could purchase access to the infostealer solution through online forums or Telegram channels, choosing between monthly subscriptions or lifetime licenses. They received a control panel to generate malware samples and act as a command and control server.

Côté Cyr explained, “Affiliates found it easier to integrate RedLine Stealer into larger campaigns using this turnkey solution. Examples include posing as free downloads of ChatGPT in 2023 and video game cheats in 2024.”

Before its takedown, RedLine was one of the most widespread infostealers with numerous affiliates, likely orchestrated by a small group of individuals. The creator, Maxim Rudometov, has been identified and charged in the US.

Related Topics:
Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending