skip to content
Decrypt LOL

Get Cyber-Smart in Just 5 Minutes a Week

Decrypt delivers quick and insightful updates on cybersecurity. No spam, no data sharing—just the info you need to stay secure.

Read the latest edition
Global Law Enforcement Operation Targets RedLine Stealer Malware

Global Law Enforcement Operation Targets RedLine Stealer Malware

/ 4 min read

stories , cybersecurity , malware analysis , infostealer , redline stealer , eset research

Quick take - On October 28, 2024, a global law enforcement operation named Operation Magnus successfully targeted the RedLine Stealer malware-as-a-service and its clone, META Stealer, resulting in the seizure of servers and domains, the arrest of individuals in Belgium, and unsealed charges against a suspect in the United States.

Fast Facts

  • Operation Magnus: A global law enforcement initiative on October 28, 2024, aimed at dismantling the RedLine Stealer and META Stealer malware operations, involving agencies like the Dutch National Police and the FBI.
  • Key Actions: Three servers in the Netherlands were taken offline, two domains seized, and two arrests made in Belgium, with charges unsealed against one individual in the U.S.
  • RedLine Stealer Overview: Discovered in 2020, it operates on a malware-as-a-service model, allowing affiliates to purchase access to a control panel for managing infostealer campaigns.
  • Malware Capabilities: RedLine can collect sensitive information, including cryptocurrency wallet data and saved credentials, often disguised as free downloads of popular software.
  • Ongoing Threat: Despite the takedown, remnants of the RedLine operation may persist due to existing panels and older malware versions still in circulation, with over 1,000 unique IP addresses previously used for control panels.

Major Global Law Enforcement Operation Targets RedLine Stealer Malware

On October 28, 2024, a major global law enforcement operation, known as Operation Magnus, was carried out to dismantle the RedLine Stealer malware-as-a-service (MaaS) operation and its clone, META Stealer. This operation was a collaborative effort involving multiple law enforcement agencies, including the Dutch National Police, the FBI, and Eurojust.

Key Actions Taken

As part of the operation, three servers located in the Netherlands were taken offline, and two domains associated with the malware operations were seized. Two individuals were arrested in Belgium in connection with the operation, and charges were unsealed against one alleged perpetrator in the United States.

The RedLine Stealer malware was first discovered in 2020 by Proofpoint. It operates on a MaaS model, allowing affiliates to purchase a turnkey infostealer solution with options for a monthly subscription or a lifetime license. This model provides access to a control panel for managing malware samples and campaigns, capable of collecting a wide range of information, including cryptocurrency wallet data, browser cookies, saved credentials, and information from applications such as Steam and Discord.

Previous Disruptions and Ongoing Threats

RedLine has been used in campaigns disguised as free downloads of popular tools like ChatGPT and cheats for video games. In April 2023, ESET, a cybersecurity company, participated in a partial disruption of RedLine, which involved the removal of several GitHub repositories used for the malware’s control panel. ESET also collaborated with researchers at Flare to investigate undocumented backend modules of the RedLine malware family.

Despite the recent takedown, the RedLine operation may still function temporarily due to existing panels that can continue to receive data. Older, cracked copies of the malware might also remain operational. ESET’s research revealed that over 1,000 unique IP addresses have been used to host RedLine control panels, with notable geographical distribution in Russia, Germany, and the Netherlands.

Technical Insights and Future Implications

The 2023 versions of RedLine utilized the Windows Communication Framework (WCF) for communication, while the 2024 version transitioned to a REST API. The RedLine toolset is developed in C# using the .NET framework, and the control panel for managing campaigns is heavily obfuscated, complicating the analysis process. Affiliates of RedLine must authenticate to use the control panel, which previously relied on GitHub repositories as dead-drop resolvers for authentication. Following disruptions in 2023, operators shifted to their own domains for authentication.

The latest version of the RedLine panel employs a hardcoded URL for this purpose and includes features for managing campaigns, configuring data collection, and integrating with Telegram for sharing stolen data. The Builder tab in the panel allows affiliates to create new malware samples with customizable options.

META Stealer, a clone of RedLine, was first announced in March 2022 and shares similar code and functionality with RedLine, suggesting that both malware families may be operated by the same individuals. A comprehensive list of indicators of compromise (IoCs) and samples related to both malware families is available in ESET’s GitHub repository, contributing to ongoing efforts to combat these cyber threats.

Original Source: Read the Full Article Here

Check out what's latest

New File Transfer Protocol Developed for Enhanced Security and Performance
New File Transfer Protocol Developed for Enhanced Security and Performance
Study Introduces Benchmark for Evaluating Cryptographic Protocols
Study Introduces Benchmark for Evaluating Cryptographic Protocols
Study Reveals Vulnerabilities of LLMs to Bit-Flip Attacks
Study Reveals Vulnerabilities of LLMs to Bit-Flip Attacks