valerybrozhinsky – stock.adobe.c
ESET publishes fresh data on the inner workings of the RedLine Stealer malware empire, which was taken down at the end of October
Cyber security analysts at ESET have released an in-depth look at the inner workings of the RedLine Stealer operation and its clone, known as Meta, in the wake of a Dutch-led operation that saw the cyber criminal empire laid low.
Operation Magnus saw the Dutch National Police force, working with European Union support and other agencies including the FBI and the UK’s National Crime Agency (NCA), dismantle the infamous infostealers’ infrastructure.
The action was the culmination of a lengthy investigation to which ESET – which initially notified the authorities in the Netherlands that some of the malwares’ infrastructure was being hosted in their jurisdiction – was a key contributor, taking part in a preliminary operation last year that targeted the gang’s ability to use GitHub repositories as a “dead-drop” control mechanism.
In an extensive dossier, ESET said that having conducted an extensive analysis of the malwares’ source code and backend infrastructure in the run-up to Operation Magnus, it was now able to confirm with certainty that both Redline and Meta did indeed share the same creator, and identified well over 1,000 unique IP addresses that had been used to control the operation.
“We were able to identify over 1,000 unique IP addresses used to host RedLine control panels,” said ESET researcher Alexandre Côté Cyr.
“While there may be some overlap, this suggests on the order of 1,000 of subscribers to the RedLine MaaS [malware as a service],” he added.
“The 2023 versions of RedLine Stealer ESET investigated in detail used the Windows Communication Framework for communication between the components, while the latest version from 2024 uses a REST API.”
Global operation
The IP addresses found by ESET were dispersed globally, although mostly in Germany, the Netherlands and Russia, all accounting for about 20% of the total. Approximately 10% were located in Finland and the US.
ESET’s investigation also identified multiple distinct backend servers, with about 33% in Russia, and Czechia, the Netherlands and the UK all accounting for about 15%.
What was RedLine Stealer?
Ultimately, the goal of the RedLine and Meta operations was to harvest vast amounts of data from its victims, including information on cryptocurrency wallets, credit card details, saved credentials, and data from platforms including desktop VPNs, Discord, Telegram and Steam.
The operators’ clients bought access to the product, described by ESET in corporate terms as a “turnkey infostealer solution”, through various online forums or Telegram channels. They could select either a monthly rolling subscription or a lifetime licence, and in exchange for their money received a control panel to generate malware samples and act as a personal command and control server.
“Using a ready-made solution makes it easier for the affiliates to integrate RedLine Stealer into larger campaigns,” said Côté Cyr. “Some notable examples include posing as free downloads of ChatGPT in 2023 and masquerading as video game cheats in the first half of 2024.”
At its peak, prior to the takedown, RedLine was probably the most widespread infostealer in operation, with a comparatively large number of affiliates. However, said ESET, the MaaS enterprise was likely orchestrated by a very small number of people.
Crucially, the creator of the malwares, named as Maxim Rudometov, has been identified and charged in the US.
Read more on Hackers and cybercrime prevention
RedLine, Meta malwares meet their demise at hands of Dutch cops
By: Alex Scroxton
More than 160 Snowflake customers hit in targeted data theft spree
By: Alex Scroxton
Mandiant: ‘Exposed credentials’ led to Snowflake attacks
By: Alexander Culafi
Data on over 3,000 Airbus suppliers leaked after breach
By: Alex Scroxton
