WWW.COMPUTERWEEKLY.COM
ESET shines light on cyber criminal RedLine empire
Cyber security analysts at ESET have released an in-depth look at the inner workings of the RedLine Stealer operation and its clone, known as Meta, in the wake of a Dutch-led operation thatsaw the cyber criminal empire laid low.Operation Magnus saw the Dutch National Police force, working with European Union support and other agencies including the FBI and the UKs National Crime Agency (NCA), dismantle the infamous infostealers infrastructure.The action was the culmination of a lengthy investigation to which ESET which initially notified the authorities in the Netherlands that some of the malwares infrastructure was being hosted in their jurisdiction was a key contributor, taking part in a preliminary operation last year that targeted the gangs ability to use GitHub repositories as a dead-drop control mechanism.In an extensive dossier, ESET said that having conducted an extensive analysis of the malwares source code and backend infrastructure in the run-up to Operation Magnus, it was now able to confirm with certainty that both Redline and Meta did indeed share the same creator, and identified well over 1,000 unique IP addresses that had been used to control the operation.We were able to identify over 1,000 unique IP addresses used to host RedLine control panels, said ESET researcher Alexandre Ct Cyr.While there may be some overlap, this suggests on the order of 1,000 of subscribers to the RedLine MaaS [malware as a service], he added.The 2023 versions of RedLine Stealer ESET investigated in detail used the Windows Communication Framework for communication between the components, while the latest version from 2024 uses a REST API.The IP addresses found by ESET were dispersed globally, although mostly in Germany, the Netherlands and Russia, all accounting for about 20% of the total. Approximately 10% were located in Finland and the US.ESETs investigation also identified multiple distinct backend servers, with about 33% in Russia, and Czechia, the Netherlands and the UK all accounting for about 15%.Ultimately, the goal of the RedLine and Meta operations was to harvest vast amounts of data from its victims, including information on cryptocurrency wallets, credit card details, saved credentials, and data from platforms including desktop VPNs, Discord, Telegram and Steam.The operators clients bought access to the product, described by ESET in corporate terms as a turnkey infostealer solution, through various online forums or Telegram channels. They could select either a monthly rolling subscription or a lifetime licence, and in exchange for their money received a control panel to generate malware samples and act as a personal command and control server.Using a ready-made solution makes it easier for the affiliates to integrate RedLine Stealer into larger campaigns, said Ct Cyr. Some notable examples include posing as free downloads of ChatGPT in 2023 and masquerading as video game cheats in the first half of 2024.At its peak, prior to the takedown, RedLine was probably the most widespread infostealer in operation, with a comparatively large number of affiliates. However, said ESET, the MaaS enterprise was likely orchestrated by a very small number of people.Crucially, the creator of the malwares, named as Maxim Rudometov, has been identified and charged in the US.Read more about malwareBlackBerrys latest Global threat intelligence report details a surge in unique malware samples as threat actorsramp up the pace of targeted attacks.Peach Sandstorm, an Iranian state threat actor, has developed a dangerous new malware strain that forms a key element ofa rapidly evolving attack sequence.US State Department puts a $2.5m bounty on the head of Angler exploit kit developer and ransomware crew member Volodymyr Kadariyaas part of a major developing case.
0 Commentarios 0 Acciones 37 Views