Information stealers, known as “infostealers,” are a type of malware that has become a pervasive part of the threat landscape. Users become infected by these silent predators by following misleading search engine results or advertisements, downloading fake software updates and falling victim to email phishing. Infostealers raid computers for valuable data, including login credentials, browser cookies, cryptocurrency wallets and other financial and system data. Some are coded to steal the data and delete themselves, while others stay on machines long term, sending fresh information to their controllers. The development of infostealers is part of the malware-as-a-service (MaaS) economy, in which malware coders specialize in developing and selling tools for lesser-skilled cybercriminals.
Numerous underground developers offer infostealers and resources for distributing infostealers. The data stolen by infostealer campaigns ends up sold on underground markets and Telegram where customers buy “logs,” or batches of stolen data. Cybercriminals can then use the stolen data to attempt to take over accounts and conduct further intrusions aimed at data theft and extortion. This poses huge risks for enterprises.
On Oct. 29, 2024, Dutch and U.S. authorities confirmed a disruption action, Operation Magnus, against two types of infostealers: RedLine and Meta. The coordinated law enforcement action resulted in the seizure of two domains and three command-and-control (C2) servers supporting the stealers. Multiple associated Telegram channels were taken offline and millions of compromised victim credentials were recovered. The recovered data includes usernames and passwords, email addresses, bank account details and payment card numbers (Eurojust press release here). According to a video published on Operation Magnus’ website, investigators gained full access to the infrastructure and data related to threat actors, including usernames, passwords, IP addresses, time stamps and registration information. Other evidence collected includes source code, license servers, representational state transfer application programming interface (REST API) servers, panels and Telegram bots. The video displays a chyron showing a stream of threat actor personas, while the voice-over says those personas include RedLine and Meta users with VIP status. To help victims, ESET has released a tool for users to check if their systems have been infected with either RedLine or Meta.
Additionally, U.S. authorities unsealed charges against Maxim Rudometov for allegedly administering RedLine. He was charged in the U.S. District Court for the Western District of Texas with access device fraud, conspiracy to commit computer intrusion and money laundering. Two people also were arrested in Belgium. One was an infostealer customer and the other has since been released.
This post will examine RedLine and Meta, the accused threat actor and the effects this disruption may have on these operations.
RedLine
Written in the C# programming language, RedLine has been one of the most prominent infostealers in the underground. Authorities estimate it has infected millions of computers since its launch in February 2020. In 2023, Intel 471’s Malware Intelligence tracked RedLine as the most downloaded infostealer. It was advertised on Russian underground forums by the threat actor Glade aka REDGlade, REDLINE. It was sold using a MaaS model, where threat actors could choose various options and services. A monthly license cost US $150, with a lifetime license US $900, payable in bitcoin or other cryptocurrency. Threat actors could buy a RedLine subscription via a Telegram bot that automated its purchase and provisioning. The bot’s menu was in English and Russian. The menu had selections for buying or renewing RedLine, adding cryptocurrency funds, rules related to using RedLine and information about pay-per-install (PPI) services. PPI is another type of cybercrime-as-a-service where threat actors will distribute malware to other compromised computers for a fee. RedLine also highlighted “crypter” services, which are critical for encrypting and packing malware so it does not get detected by security software.
RedLine’s C2 server runs as a Windows executable (.exe) file, which makes it easier to set up for users not familiar with Linux. Those who purchased the malware received a compressed (.zip) file that contained a configuration utility. When the utility was executed, customers entered credentials given to them at the time of purchase. Once authenticated, the customer gained access to a utility to configure and create a “build” of RedLine, or a unique .exe, which could then be distributed to computers. Samples of RedLine indicated each had a unique identifier that could be used to associate a build with a specific delivery mechanism or install service.
RedLine collects any data stored in the browser, such as login credentials, personal information and credit card data. It can also retrieve “cookies,” or the small data files that allow a person to stay logged in to an online service without authenticating again. Cookies are sometimes valid for long periods of time. When those cookies are replayed by threat actors, it allows them access to an account, often circumventing multifactor authentication (MFA). Cryptocurrency accounts were also targeted, with RedLine capable of stealing access tokens that could be used to replicate a wallet, including from Google Chrome extensions that handle cryptocurrency. Clients also praised the actor’s claim that the stealer version 80 could circumvent the latest Google Chrome password and cookie encryption mechanism. RedLine customers gained access to a panel that showed statistics on infected machines and data harvested. After it is collected, the stolen data is offered on underground markets in bundles called “logs” or in bespoke orders based on customer parameters, such as where a victim lives or the type or name of a company. The volume of stolen data is so large that custom tools have been developed to extract and parse the data for efficient searching and use.
In the early months after RedLine launched in 2020, clients who tested the stealer provided mainly positive reviews. The actor Tumbs allegedly used the malware in four campaigns with an average of about 700 successful infections per 1,000 malware installs and praised the certificate-cloning function. Another actor claimed to use the malware for three months and called it the best stealer since AZORult. Some said there was still room for improvement. The primary drawback allegedly was a dependency on the .NET Framework. The actor Glade was polite toward clients, accepted criticism, expressed a willingness to improve the product and considered clients’ requests. Some copies of RedLine leaked, however. One of the cracked versions of the stealer displays a notification attributing the cracked version to the actor Lenskiy, who is the developer of Borr information-stealer malware.
RedLine continued to be a desired infostealer, but its popularity peaked in 2023 when it was the most downloaded malware and the most downloaded infostealer malware according to data gathered by Intel 471’s malware emulation systems. RedLine’s distribution suddenly fell in December 2023, declining by 89%. Another infostealer, RisePro, emerged that month as the most downloaded malware, followed by Socks5_Systemz and SmokeLoader.
Why RedLine declined is unknown. PPI services themselves rely on malware to install other malware on already-compromised machines. Though there is no direct evidence, it is plausible an install service previously dependent on RedLine might have transitioned to RisePro. Underground businesses tend to pivot just as legitimate businesses do based on prices and new features. RisePro and Privateloader — both developed by the same group of threat actors — underwent significant updates. Privateloader was also a major distributor for RedLine and RisePro. Additionally, RedLine’s developers may have decided to focus more on their parallel project, Meta, as it was updated to version 4.2 around that period of time.
In April 2024, RedLine still seemed viable as a MaaS offering, and REDGlade continued to be regarded as a reputable member of the cybercrime underground. Threat actors could buy RedLine using the Telegram bot. But RedLine declined again in May 2024, and it appeared to not recover. Since then, its prominence has faded as threat actors shifted to Meta.
Meta
Meta is a RedLine fork first advertised on the Russian-language WWH-Club underground forum March 17, 2022. The cost was listed as US $150 per month. The actor __META__ joined the WWH-Club forum March 4, 2022, and authored only four posts that promoted Meta. The actor’s profile indicated __META__ spent about US $360 for goods and services on the board, which added weight to the actor’s faith in the offering. A WWH-Club forum administrator, the actor REKLAMA, approved __META__’s advertisement thread after the actor paid a forum fee. One forum member, the actor xdcyMAE3042, left positive feedback about Meta.
Like RedLine, the malware was written in the C# programming language. All features, code and panel were drawn from the RedLine stealer but included some minor updates. Some of these included a layer of encryption using the advanced encryption standard (AES) algorithm over the internal configuration. The communication protocol essentially was the same, but Meta showed different tags and changed the order of several parameters in the requests performed. Meta was promoted as having a small build size and a lower detection rate by security software than RedLine. Also, it was geofenced so that it did not execute on computers within Commonwealth of Independent States (CIS) countries, a common feature within malware coded by eastern European and Russian threat actors.
Buying Meta was similar to RedLine. It was offered through a fully automated, simple Telegram bot as seen below.
Here’s an example of how infostealers play a significant role in the execution of other types of cybercrime. In the second half of 2023, we observed Meta distributed in social-engineering campaigns targeting the hospitality industry. In one example, an attacker posed as a potential guest asking to make a reservation. When the hotel responded, the attacker sent another email with room preferences and booking dates along with a URL disguised as a portable document format (PDF) file. When the recipient clicked on the file, they were redirected to a file-sharing platform. The downloaded file was Meta. Meta would then collect credentials for a hotel’s reservation portal and related systems, such as the hotel’s booking.com administration panel. This then provided the attackers with visibility into current room reservations made by customers. Those customers were then approached with phishing schemes to steal payment card credentials. For more information on these campaigns, see the blog post “How Cybercriminals Exploit the Hospitality Industry.”
Alleged Actor: Maxim Rudometov
The criminal complaint against Maxim Rudometov outlines why investigators believe he is behind RedLine and Meta. One of the clues that led to his alleged identity being discovered appeared not long after he launched RedLine when a fellow threat actor — and competitor — softly doxxed him.
A threat actor going by the nickname foxovsky posted an analysis of the RedLine stealer on an online anonymous publishing service called Telegraph. The blog was captured by the Internet Archive’s Wayback Machine March 11, 2020. The blog was sharply critical of RedLine and clearly written by someone with strong knowledge of coding practices related to infostealer malware. The actor foxovsky did not use Rudometov’s real name. Instead, foxovsky referred to RedLine’s creator by two older nicknames, Dendimirror and Alinchok, both of which are linked to infostealer development. In the piece, foxovsky disparages Dendimirror/Alinchok as a “clumsy coder” and contends RedLine’s “usability is at the level of the 2000s” and “colors are at the level of the ‘90s.” The actor gives Dendimirror/Alinchok a rare spot of praise for coding RedLine to accommodate different browser profiles by writing, “I was expecting this from you in 2018, but better late than never.” The blog post also links Dendimirror/Alinchok to MysteryStealer, another infostealer. There appears to be a motivation for foxovsky’s teasing animosity. According to Intel 471’s Adversary Intelligence, there are strong indications foxovsky is the developer of the Vidar and Arkei infostealers. Vidar was another popular infostealer that also ran as a MaaS type offering.
The blog is mentioned in the criminal complaint against Rudometov. The actor’s linking of the Dendimirror and Alinchok monikers to RedLine gave investigators historical threat actor threads to pull. Law enforcement received information from a private security firm that found a Yandex email address in a data breach of a Russian-language hacker forum called YouHack. The Yandex email had been used to register an account under the Dendimirror nickname, and the email was connected to other monikers including GHackiHG and bloodzz.fenix. The connections between these identifiers eventually led to a VK profile under Rudometov’s name. The same Yandex email was also used to register an Apple iCloud account in Rudometov’s name. Investigators allege they found further connections between identifiers, accounts and infrastructure, including:
A file called “MysteryPanel.rar” in Rudometov’s iCloud account, which was related to MysteryStealer and RedLine’s code.
Photos in the iCloud account that included personal ones and one of Rudometov’s official identification.
The same IP addresses used to access Rudometov’s iCloud account were used to access RedLine’s licensing server.
A Binance cryptocurrency account was registered with the Yandex email address mentioned above.
A GitHub account under the username GHackiHG was accessed using the same IP address that was used to access Rudometov’s iCloud account, sometimes within minutes of each other.
Assessment
This disruption action struck at the core infrastructure and communication channels related to RedLine and Meta, but as of Oct. 30, 2024, RedLine activity has only slightly decreased. The likely reason is that RedLine’s code and administration panel software is sold by other underground vendors outside of the core operation that was targeted by law enforcement. Also, the malware and panel administration software has been cracked, or had its licensing protections circumvented, allowing threat actors to use it via alternate channels. This means some RedLine operators have been unaffected by this action and are working as usual.
However, this should not diminish the significance of Operation Magnus. The action has successfully disrupted two significant strains in the infostealer ecosystem. The back-end data from the systems should help in remediation, as it should be possible to identify and alert victims as has been done in other botnet and malware disruptions such as Qakbot. The data from RedLine and Meta’s infrastructure may also help in identifying key threat actor customers of these malware programs. There’s also the psychological effect on threat actors. The video on the Operation Magnus site was sent to identified threat actors before authorities took down the malware servers. It may cause some threat actors to worry that their most valuable asset when executing online crime — anonymity — may eventually, and suddenly, disappear.
