In a major international effort, the US Department of Justice, the Federal Bureau of Investigation and several global law enforcement agencies have unveiled “Operation Magnus”, targeting two of the world’s most notorious information-stealing malware networks, RedLine Stealer and META.

According to one press release published on October 29, the operation led to the seizure of several servers, the unsealing of charges against a RedLine Stealer developer, and the arrest of two suspects in Belgium.

RedLine and META information stealers

Red Line Stealer and META are two distinct types of malware known as “info stealers” or “information stealers” designed to capture sensitive user data. RedLine Stealer’s existence was initially reported in 2020, while META first appeared in 2022.

IN A interviewa META malware representative revealed that its development was originally based on portions of the RedLine Stealer source code, which had been acquired through a sale. Both malware programs are capable of stealing sensitive information from infected computers, such as:

• Usernames and passwords for online services, including mailboxes.
• Financial information such as credit card or bank account numbers.
• Session cookies to impersonate users on online services.
• Cryptocurrency wallets.

SEE: How to Create an Effective Cyber ​​Security Awareness Program (TechRepublic Premium)

Both malware also offer the ability to bypass multi-factor authentication. The stolen information can be used by the malware controller, but it can also be sold as files called “log” in cybercriminal forums or underground markets.

RedLine Stealer and META infected millions of computers worldwide and stole even more credentials. Specops Software, a company focused on password security, reported that RedLine Stealer captured more than 170 million passwords in just six months, while META stole 38 million passwords in the same period.

RedLine Stealer has also been used to carry out intrusions against large corporations, according to the DOJ press release.

Malware-as-a-Service (MaaS) business model.

Both malware families are sold through a Malware-as-a-Service business model, where cybercriminals purchase a license to use variants of the malware and then launch their own infection campaigns. This can be done through infected emails, malvertising, fraudulent software downloads, sideloading of malicious software and instant messaging. Various cybercriminals have used various baits and social engineering tricks to infect victims, including fake Windows updates.

Several servers, communication channels closed

A mandate issued by the Western District of Texas authorized law enforcement to seize two command and control domains used by RedLine Stealer and META.

Both domains now display content about the operation.

Three servers were shut down in the Netherlands, and several RedLine Stealer and META communication channels were taken down by Belgian authorities.

In addition, a website about Operation Magnus informs and supports victims. A video posted on the site sends a strong message to cybercriminals who have used RedLine or META, displaying a list of nicknames said to be VIPs — “Very Important to Police” — and ending with the image of handcuffs and a message: “We look forward to seeing you soon!”

The website also offers an online scanner for RedLine/META infections from the cyber security company ESET.

The DOJ also unsealed taxes against Maxim Rudometov, one of the developers and administrators of the RedLine Stealer malware, who regularly accessed and managed the infrastructure. Rudometov is also associated with various cryptocurrency wallets used to receive and launder payments from RedLine customers.

Two other individuals were also arrested in Belgium, although one was released with no further details publicly available.

How to protect yourself from information thieves

Hackers can infect computers in countless ways – which is why all systems and software must be updated and patched to prevent an infection that would exploit a common vulnerability.

In addition, businesses can protect themselves from cybercriminals by:

• Implementation of security and antivirus software on all systems.
• Implementing multi-factor authentication also adds a protective layer of security for services that require authentication.
• Changing all passwords if a system is compromised. This should be done as soon as the theft is removed from the system.

Additionally, users should never use the same password for different services. The use password managers it is very efficient to use only one strong password for each service or tool and should be mandatory in organizations.

Disclosure: I work for Trend Micro, but the opinions expressed in this article are my own.