How a chain of operational security failures guided U.S. authorities to the suspected creator of the Redline password-stealing malware.

US prosecutors on Thursday charged Russian national Maxim Rudometov for allegedly creating and distributing the notorious Redline password-stealing malware.
How a chain of operational security failures guided U.S. authorities to the suspected creator of the Redline password-stealing malware.

US prosecutors on Thursday charged Russian national Maxim Rudometov for allegedly creating and distributing the notorious Redline password-stealing malware.

The charges were part of "Operation Magnus," a long-planned international operation in which Dutch police and their counterparts worldwide yesterday tore apart the infrastructure used by the prolific malware strains known as Redline and Meta to steal sensitive information from millions of people.

On Tuesday, an indictment revealed a litany of "opsec" errors made by a Russian hacking group. From those, law enforcement traced an account in their network back to an account with an email address affiliated with Russia's most popular search engine: Yandex. This Rudometov registered to online accounts with nicknames reused across different forums: on the same platforms for the group where Rudometov published about himself online and in more limited spaces where Rudometov is only now found today-Skype and iCloud.

US authorities claim they had access to files in the iCloud account of Rudometov; these include "numerous files identified by antivirus engines as malware, including at least one that was … determined to be Redline.".

The complaint states that Rudometov used the same Yandex email address to sign up for a publicly visible profile on the Russian social networking site VK. Investigators found that Rudometov " bore a close resemblance" to a person illustrated in an advertisement found within an earlier blog post titled "Redline." An advertisement within the blog post touted the person's experience in "writing botnets and stealers.".

The complaint states that the defendant allegedly also used one of his hacking monikers, "ghacking," on VK's dating website.

Following a tip from an anonymous security company in August 2021, U.S. law enforcement was able to get a search warrant to seize data that might be found on one of the servers Redline was using, which also included further information: an IP address and a Binance account registered with the same Yandex account linked to Rudometov.

On Tuesday, the Department of Justice said "Rudometov regularly accessed and managed the infrastructure of Redline infostealer, was associated with various cryptocurrency accounts used to receive and launder payments, and was in possession of Redline malware." The complaint also added that Redline had been used since February 2020 to infect millions of computers worldwide, including "several hundred" machines belonging to the U.S. Department of Defense.

Still unclear is whether Rudometov has been detained. His sentence could run as long as 35 years behind bars.

Tuesday, Europol and Dutch police said additional information that had become available about Operation Magnus reported that three of the servers knocked down had been based in the Netherlands, while also noting that two domains through which Redline and Meta conducted command and control operations were under seizure.

Authorities also reportedly have brought down several Telegram accounts affiliated with the malware, which has "caused the sale of the stealers … to be halted," and two other additional people — including a buyer of the malware — were detained in Belgium.

Blog
|
2024-10-30 17:41:55