Two notorious infostealer malware operations were just knocked offline
Infrastructure linked to two major infostealer malware strains has been seized in a joint law enforcement operation
A joint operation of global law enforcement agencies has dismantled the operations of two prominent strains of infostealer malware.
Operation Magnus, was a collaboration between Dutch National Police, the FBI, and agencies from Australia, Belgium, Portugal, and the UK, targeting the infrastructure underpinning the RedLine and Meta infostealers.
RedLine and Meta steal data including login credentials, as well as addresses, phone numbers, cryptocurrency wallets, and email addresses stored in web forms.
The tools can also be used by threat actors to bypass multi-factor authentication (MFA) through the theft of authentication cookies and other system information.
“After retrieving the personal data, the infostealers sold the information to other criminals through criminal marketplaces. The criminals who purchased the personal data used it to steal money, cryptocurrency and to carry out follow-on hacking activities,” according to a statement from the European Union Agency for Criminal Justice Cooperation.
The statement added that investigations into the two malware operations began after victims came forward and a security company notified authorities about possible servers in the Netherlands linked to the campaign.
The authorities later discovered that over 1,200 servers in dozens of countries were running the malware.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
On 28 October, the coalition of international agencies seized three servers in the Netherlands, two domains, and took two people into custody in Belgium.
Law enforcement also retrieved a database of clients from RedLine and Meta, which they state will be used in future investigations into criminals attempting to leverage the stolen data in future attacks.
History shows cybercriminals will always find a way
In conjunction with the disruption efforts, the US Justice Department unsealed charges against Maxim Rudometov, one of the developers and administrators of RedLine.
Rudometov could face a maximum penalty of 35 years, according to the Attorney’s Office for the Western District of Texas, if convicted, facing charges of access device fraud, conspiracy to commit computer intrusion, and money laundering.
This follows a number of operations carried out by law enforcement agencies aimed at disrupting the operations of high profile cyber crime groups around the world.
In December 2023, US authorities seized the leak site of ALPHV/BlackCat, one of the most prolific ransomware collectives of recent years, which was hailed as a significant blow to the operation.
Yet just two months later in February 2024, CISA issued an updated advisory warning of a new version of the group’s ransomware locker, which had been observed targeting healthcare organizations in the US.
Since then, in September 2024 researchers reported a new ransomware encryptor dubbed ‘Cicada3301’ appeared to be a more advanced iteration of the encryptor used by BlackCat, indicating the group’s impact on the cyber crime industry will be harder to stamp out.
In February 2024, a joint operation took control of the infrastructure used by the prominent ransomware collective LockBit, including its primary administration environment, leak site, platform source code, and a vast amount of intelligence about the group’s activities gleaned from the seized systems.
Days after the breach, security experts told ITPro they expected LockBit affiliates to quickly find a new ransomware operator to work with, and the ransomware industry was far from being brought to its knees.
LockBit re-emerged in September 2024, claiming responsibility for a cyber attack on Canada’s largest school board in Toronto, but analysts said this was likely a fabrication in an attempt to rebuild the group’s waning reputation.
On 5 July 2024, a joint operation led by Europol shut down almost 600 servers used to conduct malicious attacks leveraging the Cobalt Strike threat simulation tool.
Despite the significant disruption caused by the operations, security pros warned it would not put an end to the malicious use of Cobalt Strike by threat actors.
Although the operation was a ‘big win’ for law enforcement, they noted there were plenty of opportunities for threat actors to continue using the tool for malicious purposes.
Solomon Klappholz is a Staff Writer at ITPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.