Cybercrime , Fraud Management & Cybercrime

Russian Indicted by US for Developing Redline Infostealer

Unsealed Complaint Charges Maxim Rudometov With Developing and Selling Malware
Russian Indicted by US for Developing Redline Infostealer
Alleged photographs of Maxim Rudometov from a C#stealer training advertisement (left) and his Apple iCloud account. (Source: DOJ)

An international crackdown against two prominent strains of information-stealing malware continues.

See Also: The Healthcare CISO’s Guide to Medical IoT Security

The U.S. Department of Justice on Tuesday unsealed a complaint against Russian national Maxim Rudometov, accusing him of being one of the alleged developers and administrators of the Redline infostealer - software "designed to illegally remove important personal and financial information from computers."

Prosecutors said Rudometov has been a key part of the Redline infostealer operation, describing it as being "one of the most prevalent infostealers in the world that has targeted millions of victim computers," as well as Meta, which is described as a "closely related" infostealer also designed to infect Windows systems.

"Rudometov regularly accessed and managed the infrastructure of Redline infostealer, was associated with various cryptocurrency accounts used to receive and launder payments, and was in possession of Redline malware," Justice alleged.

The suspect, who remains at large, has been charged with access device fraud, conspiracy to commit computer intrusion and money laundering, which collectively carry prison sentences of up to 35 years in prison.

Dutch National Police announced Monday that it infiltrated both the Redline and Meta infostealer services, gained "full access" to their servers and seized voluminous amounts of data pertaining to administrators, affiliates and their victims (see: Dutch Police and FBI Infiltrate Infostealer Infrastructure).

Investigators are working to unmask Redline's criminal users and associated "legal actions are underway," Dutch police promised. They launched www.operation-magnus.com, a website dedicated to the international law enforcement task force - codenamed Operation Magnus - combating Redline and Meta, which includes information for potential victims.

Infostealers are built to exfiltrate data from an infected system - aka "bot" - and batch it into "logs" containing information of value to other criminals. These logs get sold via dedicated markets and automated Telegram channels. Information stolen by infostealers often includes browser cookies, which can be used to defeat two-factor authentication, as well as stored data to be auto-filled by a browser. Other targeted information includes usernames and passwords for various services, including online bank accounts, as well as crypto wallet details, payment card data and more.

Redline's operators offered the malware-as-a-service offering to subscribers for a monthly Bitcoin or other cryptocurrency payment worth $150, or else $800 - later rising to $900 - for a "lifetime" license, according to the complaint. They allegedly "advertised that RedLine was capable of stealing 'login and passwords,' 'cookies,' 'autofill fields,' 'credit cards,' and had modules for stealing cryptocurrency information," it said.

Affiliates of Redline distributed the malware in multiple ways, including via phishing attacks, fake software downloads and "malicious software sideloading," as well as COVID-19 ruses, according to the complaint.

Advertisements for Redline touted regular software updates, saying the latest version of the malware had been "cleaned," meaning repacked to make it tougher to detect, and fresh functionality added. One update, advertised in August 2021, "claimed Redline was now capable of extracting data from Google Chrome extensions that managed cryptocurrency wallets and transactions, linking to the Google Chrome store URLs of supported extensions."

By default, the malware would not execute in Russia or neighboring countries, investigators said.

Law enforcement agencies have recovered some of the log data stolen from victims of Redline and Meta. "While an exact number has not been finalized, agents have identified millions of unique credentials (usernames and passwords), email addresses, bank accounts, cryptocurrency addresses, credit card numbers, etc.," the DOJ said.

Investigators tied Rudometov to the moniker "Dendimirror," which an anonymous blog post alleged was a core member of Redline, in part by finding a Yandex email address used to register that account name with a Russian hacking forum, for which the membership database later leaked. Investigators said they linked this Yandex email to other hacker monikers - "GHackiHG" and "bloodzz.fenix" - "as well as services used by Rudometov in his personal capacity, such as Google and Apple," and recovered a copy of RedLine from his Apple iCloud Drive.

In addition, "there are numerous financial and IP connections between online accounts registered to Rudometov and the server which is used by the RedLine malware to configure deployable versions of the infostealer," according to the complaint. It said an IP address tied to his Apple account is based in Krasnodar, a city in southern Russia, which matched location data for multiple photographs being stored in his iCloud account.

The unsealing of the complaint against Rudometov followed the U.S. District Court for the Western District of Texas on Thursday issuing a seizure warrant for two domains allegedly used by Redline - fivto.online and spasshik.xyz - for command-and-control of infected endpoints. The warrant, unsealed Tuesday, orders Phoenix-based NameCheap, with which the domains are registered, to redirect all traffic to the domains to FBI-controlled domains.

The FBI's Austin, Texas, office is running the U.S. investigation into Redline and Meta, together with multiple other agencies, including the Naval Criminal Investigative Service, IRS Criminal Investigation, Defense Criminal Investigative Service and Army Criminal Investigation Division.

The participation of multiple military agencies reflects Redline being tied to attacks that compromised access credentials for Department of Defense accounts, services or websites, including for the U.S. Army's Office 365 email environment, as well as defense contractors. Other victims cited in court documents include an Indiana resident who lost cryptocurrency worth $370,000 and hired a digital forensics firm to investigate, which traced stolen account access credentials to a Redline infection.

The DOJ said its investigation into Redline was aided by private industry, including an unnamed firm voluntarily disclosing to the government details it obtained from a licensing server used by Redline. "Investigators obtained a search warrant to analyze the data in the server and found additional evidence linking Rudometov to the development and deployment of Redline," according to the complaint.

The U.S. task force has been working with Operation Magnus, a Joint Cybercrime Action Taskforce - or J-CAT - coordinated by Europol, which is the EU's law enforcement intelligence agency. Other participating agencies include the Dutch National Police, Belgian Federal Police, Belgian Federal Prosecutor's Office, Britain's National Crime Agency, Australian Federal Police, Portuguese Federal Police and the EU Agency for Criminal Justice Cooperation, aka Eurojust.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.co.uk, you agree to our use of cookies.