close
close

Law enforcement operation targets infostealers

Posted on by Larry
Law enforcement operation targets infostealers

In a sweeping international effort, the U.S. Department of Justice, the Federal Bureau of Investigation and multiple global law enforcement agencies have uncovered “Operation Magnus,” targeting two of the world’s most notorious information-stealing malware networks, RedLine Stealer and META.

According to one press release The operation, published on October 29, led to the seizure of multiple servers, the release of charges against a RedLine Stealer developer and the arrest of two suspects in Belgium.

RedLine and META information stealers

RedLine stealer and META are two different types of malware known as ‘information stealers’ or ‘infostealers’, designed to capture sensitive user data. RedLine Stealer’s existence was initial reported in 2020, while META first appeared in 2022.

In one interviewa representative of the META malware revealed that its development initially relied on portions of RedLine Stealer’s source code obtained through a sale. Both malware are capable of stealing sensitive information from infected computers, such as:

  • Usernames and passwords for online services, including email boxes.
  • Financial information such as credit card numbers or bank accounts.
  • Session cookies to pretend to be users of online services.
  • Cryptocurrency wallets.

TO SEE: How to create an effective cybersecurity awareness program (TechRepublic Premium)

Both malware also offer the ability to bypass multi-factor authentication. The stolen information can be used by the malware’s administrator, but can also be sold as files called ‘logs’ in underground cybercriminal forums or marketplaces.

RedLine Stealer and META infected millions of computers around the world – and stole even more credentials. Specops Software, a company focused on password security, reported that RedLine Stealer has stolen more than 170 million passwords in just six months, while META has stolen 38 million passwords in the same period.

According to the DOJ press release, RedLine Stealer has also been used to carry out burglaries against major companies.

Malware-as-a-Service (MaaS) business model

Both malware families are sold through a Malware-as-a-Service business model, where cybercriminals purchase a license to use variants of the malware and then launch their own infecting campaigns. This can be done through email infecting, malvertising, fraudulent software downloads, malicious software sideloading, and instant messaging. Several cybercriminals have used various social engineering tricks and tricks to infect victims, including fake Windows updates.

Statistics panel 2023 for RedLine Stealer.
Statistics panel 2023 for RedLine Stealer. Image: Flare.io

Several servers and communication channels are disabled

A deposit issued by the Western District of Texas authorized law enforcement to seize two command and control domains used by RedLine Stealer and META.

Both domains now show content about the operation.

New page for the RedLine Stealer and META seized C2 servers.
New page for the RedLine Stealer and META seized C2 servers. Image: TechRepublic

Three servers are down in the Netherlands, and several RedLine Stealer and META communication channels have been disabled by Belgian authorities.

Moreover, a website about Operation Magnus informs and supports victims. A video shown on the website sends a strong message to cybercriminals who have used RedLine or META, showing a list of nicknames said to be VIPs – ‘Very important to the police’ – and ending with the image of handcuffs and a message: ‘We look forward to seeing you soon!”

The website also offers an online scanner for RedLine/META infections from cybersecurity company ESET.

The US DOJ also released the seal costs against Maxim Rudometov, one of the developers and maintainers of the RedLine Stealer malware, who regularly accessed and managed the infrastructure. Rudometov is also associated with several cryptocurrency wallets used to receive and launder payments from RedLine customers.

Two other individuals were also taken into custody in Belgium, although one was released without further details being made public.

How to protect yourself from information stealers

Information stealers can infect computers in numerous ways. Therefore, all systems and software must be updated and patched to prevent an infection that exploits a common vulnerability.

Additionally, companies can protect themselves against cybercriminals by:

  • Implementation of security software and antivirus on all systems.
  • Implementing multi-factor authentication also adds a protective layer of security for services that require authentication.
  • Changing all passwords if a system is hacked. This should be done once the thief has been removed from the system.

Furthermore, users should never use the same password for different services. The use of password managers Using a single complex password for each service or tool is very efficient and should be mandatory in organizations.

Revelation: I work for Trend Micro, but the views expressed in this article are my own.