Introduction
Redline and Meta are two prominent infostealers that have significantly impacted global cybersecurity. These malicious software programs target millions of devices worldwide, extracting sensitive information and facilitating various cybercrimes. Operating under a decentralized Malware as a Service (MaaS) model, they have become a major concern for law enforcement and cybersecurity experts.
Description
Redline and Meta are notorious infostealers that target millions of victim devices globally, extracting sensitive information such as usernames [7] [10], passwords [1] [3] [4] [5] [6] [7] [9] [10] [11], financial data [5] [7] [9] [10] [11], cryptocurrency account details [5] [7], credit card numbers [4] [7], saved form data [6], addresses [1] [3] [4] [6] [7] [9] [11], email addresses [4] [6] [7] [9] [11], phone numbers [6] [11], and cookies [6] [11]. Operating under a decentralized Malware as a Service (MaaS) model, these infostealers allow affiliates to purchase licenses and launch their own campaigns [5] [7], leading to widespread infections through various distribution methods, including malvertising [7], email phishing [5] [7], fraudulent software downloads [5] [7], and malicious software sideloading [5] [7]. They often exploit schemes related to COVID-19 or Windows updates to deceive victims [5] [7].
Active since 2020 [3], Redline is one of the most prolific infostealers [3], linked to significant breaches [3], including a 2022 hack at Uber and the theft of login details from Worldcoin Orb operators [3]. Redline specializes in collecting credentials [1], cookies [1] [5] [6] [11], and system information [1], making it particularly popular for phishing campaigns and botnets [1]. It has also been implicated in intrusions against major corporations and is capable of bypassing multi-factor authentication by stealing authentication cookies [5]. Meta [1] [2] [3] [4] [6] [9] [10], a newer infostealer [3], closely relates to Redline and targets login details, credit card information [1], and cryptocurrency wallets [1] [5] [6] [7] [9] [11]. Both have been the focus of a coordinated international law enforcement effort, with authorities indicating that all users of Redline and Meta are considered “Very Important to the Police.” The operators of Redline and Meta sell the stolen data, often referred to as “logs,” on criminal marketplaces, which is then used for identity theft [6], financial fraud [6] [8], and further hacking activities [9] [11]. The stolen data collected from infected computers reveals the extensive impact of these infostealers, with advanced cybercriminals often using them as initial vectors for deploying ransomware, while less experienced actors utilize them primarily for credential theft.
In a significant crackdown, the Dutch National Police [1] [3] [11], in collaboration with the FBI and international authorities, dismantled the infrastructure used by Redline and Meta as part of “Operation Magnus” on October 28. This operation was coordinated by Eurojust and involved law enforcement agencies from the Netherlands [10], the United States [8] [10] [11], Belgium [2] [5] [7] [8] [9] [10] [11], Portugal [8] [10] [11], the United Kingdom [8] [10] [11], and Australia [4] [8] [10] [11], with support from Europol [8]. Following a tip from the cybersecurity firm ESET Nederland regarding potential malware servers [8], investigators uncovered the technical infrastructure and communication channels used by these infostealers [8]. The operation resulted in the seizure of over 1,200 servers across multiple countries [9], including three servers in the Netherlands [9] [10] [11], two domains [2] [10] [11], and the arrest of two individuals in Belgium [9] [11], along with one suspect in the US. Additionally, the US Department of Justice unsealed a warrant from the Western District of Texas [2], allowing law enforcement to confiscate domains used for command and control by Redline and Meta [2]. Authorities gained access to a database of clients linked to these malware-as-a-service operations [10], revealing usernames, passwords [1] [3] [4] [5] [6] [7] [9] [10] [11], IP addresses [1] [3], timestamps [3], registration dates [3], and the source code for both infostealers [3], as well as the Telegram accounts used by their operators [3].
Investigations began after victims reported incidents and a security firm alerted authorities about potential servers linked to the malware [10] [11]. Following the takedown [11], law enforcement sent a clear message to the alleged perpetrators, demonstrating their capability to disrupt criminal activities [11]. Significant actions from this operation included the dismantling of several communication channels associated with Redline and Meta, as well as the filing of charges against Maxim Rudometov, a developer and administrator of Redline Infostealer [2] [5] [7], for access device fraud [5], conspiracy to commit computer intrusion [5], and money laundering [5]. If convicted [5], he faces significant prison time [5].
In response to the threat [10], cybersecurity firm ESET released a free online scanner for Redline and Meta malware [10], allowing individuals to check if their data has been compromised and to receive guidance on necessary actions. Recommendations for victims include consulting experts for malware removal [10], changing passwords for key accounts [10], using password managers [10], monitoring financial accounts for suspicious activity [10], reporting stolen data [10], updating software [10], considering additional security measures like VPNs [10], and engaging in long-term monitoring for unusual account activity [10]. While it remains unclear if any arrests have been made [3], legal actions are reportedly underway [3]. In June 2024 [6], a separate law enforcement operation led by the UK’s National Crime Agency dismantled infrastructure associated with the Cobalt Strike tool [6], further targeting the ecosystem of these infostealers. A countdown timer on the operation’s website suggests that further announcements are forthcoming regarding the ongoing efforts against these threats. Eurojust clarified that the META name used by the malware platform is not associated with the California-based company Meta [9], which owns Facebook [9], Instagram [9], and WhatsApp [9].
Conclusion
The global crackdown on Redline and Meta underscores the significant threat posed by these infostealers. The collaborative efforts of international law enforcement and cybersecurity firms have disrupted their operations, yet the threat persists. Continued vigilance, enhanced cybersecurity measures, and international cooperation are essential to mitigate the risks associated with such malware. Future operations and technological advancements will play a crucial role in combating these evolving cyber threats.
References
[1] https://www.techradar.com/pro/security/some-of-the-biggest-password-stealers-around-may-have-been-disrupted-by-police
[2] https://news.bloomberglaw.com/privacy-and-data-security/us-doj-takes-action-against-redline-and-meta-infostealers
[3] https://techcrunch.com/2024/10/28/police-operation-claims-takedown-of-prolific-redline-and-meta-password-stealers/
[4] https://www.darkreading.com/threat-intelligence/fbi-partners-disrupt-redline-meta-stealer-operations
[5] https://www.justice.gov/usao-wdtx/pr/us-joins-international-action-against-redline-and-meta-infostealers
[6] https://www.infosecurity-magazine.com/news/law-enforcement-redline-meta/
[7] https://www.irs.gov/compliance/criminal-investigation/us-joins-international-action-against-redline-and-meta-infostealers
[8] https://nltimes.nl/2024/10/29/dutch-police-help-take-two-big-info-stealing-software
[9] https://www.yahoo.com/news/global-police-shut-down-malware-105928535.html
[10] https://securityaffairs.com/170369/cyber-crime/law-enforcement-operation-disrupted-redline-and-meta-infostealers.html
[11] https://www.eurojust.europa.eu/news/malware-targeting-millions-people-taken-down-international-coalition