A global law enforcement operation has disrupted infrastructure for the Redline and Meta info stealers, malware tools that cybercriminal groups use to steal sensitive personal data. Operation Magnus took place on 28 October 2024, with law enforcement shutting down three servers used to run the malware in the Netherlands and the seizure of two domains. This means the malware no longer functions and cannot currently be used to steal new data from infected victims.
See: https://redskyalliance.org/xindustry/weekly-cyber-intel-report-all-sector-09-23-2022
Authorities have also retrieved a database of thousands of Redline and Meta clients and will continue investigating these criminal actors. One alleged administrator of the info stealers has been indicted in the US, and two suspected customers have been taken into custody in Belgium. One of these suspected customers has since been released.
The US Attorney's Office in the Western District of Texas has confirmed the identity of the alleged administrator, Maxim Rudometov. Rudometov is accused of regularly accessing and managing the infrastructure of Redline Infostealer, being associated with various cryptocurrency accounts used to receive and launder payments and having Redline malware. He has been charged with access device fraud, conspiracy to commit computer intrusion, and money laundering, crimes which carry maximum prison sentences of 10 years, five years, and 20 years, respectively. In addition, several Telegram accounts used to distribute the infostealers have been taken down.
The operation was prompted by a tip by cybersecurity company ESET about servers in the Netherlands relating to the malware. This initiated an investigation over a year ago, which provided insights into the technical infrastructure of the infostealers, the communication channels used, and the entire user base. During the investigation, authorities discovered that over 1200 servers in dozens of countries were running the malware.
Following the takedown, Dutch national police issued a message to the actors behind the infostealers via a dedicated Operation Cronos website. This included a video showing that the international coalition of authorities was able to obtain crucial data on their network and shut down their criminal activities. After the message was sent, Belgian authorities took down several Redline and Meta communication channels. The website, www.operation-magnus.com, appears to be offline at the time of writing.
Operation Magnus involved law enforcement agencies from the Netherlands, the US, Belgium, Portugal, the UK, and Australia, and it was coordinated by the European Union Agency for Criminal Justice Cooperation (Eurojust).
Redline and Meta are info stealers designed to steal personal data from victim devices, including usernames and passwords, and automatically save form data, such as addresses, email addresses, phone numbers, cryptocurrency wallets, and cookies. After retrieving this information, the infostealer operators sell the data to other cybercriminals via criminal marketplaces. Those who purchase this data then use it for follow-on activities, including identity theft, financial fraud, and ransomware attacks.
Dutch police noted that Redline and Meta are among the most well-known infostealers worldwide, which have been operating for years and amassed millions of victims.
Eurojust said that a private security company has launched an online tool to allow people to check if their data was stolen, with further details available on the Operation Cronos website.
This article is shared at no charge and is for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
Comments