Full Report
The U.S. Department of State has announced a reward of up to $10 million for any information on government-sponsored hackers with ties to the RedLine infostealer malware operation and its suspected creator, Russian national Maxim Alexandrovich Rudometov. [...]
Analysis Summary
# Threat Actor: RedLine and META Malware Operators
## Attribution & Identity
The actors behind the RedLine and META malware-as-a-service (MaaS) platforms are associated with state hacking activities, as noted by a US bounty announcement. A financially motivated individual, potentially **Rudometov**, is named in relation to the operation, facing charges including access device fraud, conspiracy to commit computer intrusion, and money laundering. The operation was subject to an international law enforcement crackdown involving the Dutch police, Eurojust, and technical assistance from firms like ESET.
## Activity Summary
The primary activities involve the operation and promotion of the RedLine and META malware-as-a-service platforms, which are used to steal account credentials on a massive scale. Law enforcement recently disrupted these platforms, seizing associated infrastructure and taking down sales channels (e.g., Telegram accounts used for promotion). An international coalition arrested two suspects in Belgium and seized servers and domains connected to Command and Control (C2). This activity led to the theft of millions of account credentials globally.
## Tactics, Techniques & Procedures
- **Initial Access/Delivery:** Malware (RedLine and META) is utilized as a MaaS offering to buyers for credential theft.
- **Persistence/Execution:** Use of RedLine and META infostealers.
- **Command and Control:** Use of seized servers and web domains for C2 operations.
- **Communication/Sales:** Promotion and sales conducted via Telegram accounts.
- *\[Note: Specific technical TTPs like MITRE ATT&CK IDs were not detailed in the provided context, beyond the identification of the malware type being 'infostealers'.]*
## Targeting
- **Sectors:** Broad targeting indicated by large-scale credential theft; specific sectors are not detailed, but the nature of infostealer targets typically includes any user with online accounts. Given the US bounty, state-affiliated or high-value organizational targets may be implied alongside general credential harvesting.
- **Geography:** International scope, highlighted by coordination between US, Dutch, and Belgian authorities.
- **Victims:** Millions of users whose account credentials were stolen. Specific organizational victims were not named in this context.
## Tools & Infrastructure
- **Malware families used:** RedLine Stealer, META Stealer (both operated as Malware-as-a-Service).
- **Infrastructure (C2, domains, IPs):**
- Seized Telegram accounts used for promotion.
- Seized servers (three servers seized in total).
- Seized web domains (two domains seized).
- A network of over 1,200 servers linked to the malware operations was mapped by ESET.
- *Defanged: No URLs or IPs were explicitly provided that required defanging.*
## Implications
The successful international disruption highlights significant global coordinated efforts against established MaaS operations specializing in credential theft. However, the sheer scale of compromised credentials (millions) presents an ongoing risk to individuals and organizations worldwide, necessitating credential hygiene and monitoring. The potential conviction of the operator (Rudometov) if apprehended could disrupt the MaaS ecosystem.
## Mitigations
- Users should run threat scans using tools provided by security vendors, such as the ESET online scanner released for detecting RedLine/META infections.
- Organizations and individuals should change credentials potentially compromised by RedLine or META (especially stored credentials/sessions).
- Security teams should monitor for indicators of compromise related to C2 infrastructure previously linked to these malware families.
- Enhance monitoring for access device fraud techniques against user accounts.