• Vulnerable U
  • Posts
  • Operation Magnus Disrupts RedLine, Meta Infostealer Malware

Operation Magnus Disrupts RedLine, Meta Infostealer Malware

The international effort, called Operation Magnus, involved the Netherlands, the U.S., Belgium, Portugal, the UK and Australia.

Law enforcement agencies from the U.S. and other countries on Tuesday detailed a disruption operation of two infostealers: RedLine, one of the most prevalent infostealers that has been used in campaigns against millions of computers, and the newer, closely related Meta malware.

The international effort, called Operation Magnus, involved the Netherlands, the U.S., Belgium, Portugal, the UK and Australia. The operation was first publicized via a website on Monday, which included a video that said law enforcement had “gained full access to all RedLine and Meta servers.” The Tuesday update said that the operation had seized domains, servers and Telegram accounts used by the malware administrators.

Key Details:

  • The U.S. Justice Department on Tuesday unsealed a warrant, issued in the Western District of Texas, allowing law enforcement to seize two domains used by RedLine and Meta for command and control

  • The Justice Department is also charging Maxim Rudometov, a RedLine developer and administrator who allegedly managed the malware’s infrastructure and has been linked to various cryptocurrency accounts used for laundering payments

  • Additionally, three servers were shut down in the Netherlands and two people were taken into custody in Belgium

  • RedLine and Meta have infected millions of computers worldwide and the operation found over 1,200 servers in dozens of countries running the malware. The DoJ said that by some estimates, RedLine is one of the top malware variants in the world

The Big Picture: The disruption of these infostealers is a definite win: RedLine in particular has been used over the past years to steal a ton of sensitive information, including credentials, financial data, system information, cookies and cryptocurrency accounts. Both RedLine and Meta are sold through a malware-as-a-service model, and have been distributed through malvertising, phishing, fake software downloads and more. RedLine has been used to conduct cyberattacks against major corporations, according to the DoJ.

Next Steps: The FBI was able to collect victim log data that was stolen from devices infected by RedLine and Meta. U.S. law enforcement identified millions of unique credentials, email addresses, bank accounts, cryptocurrency addresses, credit card numbers and more. The Operation Magnus website linked to an online scanner by ESET, which can help users detect if they are potentially infected by the malware. 

“The authorities also retrieved a database of clients from RedLine and Meta,” according to a press release by Eurojust. “Investigations will now continue into the criminals using the stolen data.”