Dutch cops pwn the Redline and Meta infostealers, leak 'VIP' aliases

Dutch police (Politie) say they've dismantled the servers powering the Redline and Meta infostealers – two key tools in a modern cyber crook's arsenal.

The Politie announced the news of Operation Magnus' success on Monday in what appears to be a continuation of law enforcement's cyber-bust template: Mocking those involved and slowly releasing details of the operation over the course of multiple days. The same approach was taken with LockBit and Operation Endgame earlier this year.

"This is the final update for Redline and Meta" were the words used to open the operation's announcement, which was styled as a marketing video teasing new features for the infamous infostealers.

The Politie worked with a number of international law enforcement agencies to disrupt Redline and Meta's infrastructure, it said.

"We gained full access to all Redline and Meta servers. Did you know they were actually pretty much the same?" the video went on to say.

Among the data law enforcement officials gained access to were usernames, passwords, IP addresses, timestamps, registration dates, "and much more."

Investigators say they also acquired all source code for both infostealers, including the license and REST API servers, user panels, and Telegram bots.

The video also confirmed a stream of usernames, suggesting that investigators now have a list of individuals who had paid for and likely deployed the malware at least once.

Operation Cronos, the taskforce that disrupted LockBit in February, released a similar list after gaining access to the ransomware group's backend, exposing the aliases of all known affiliates.

"VIP status for all Redline and Meta users, where VIP means 'very important to the police.' Thank you for installing this update. We are looking forward to seeing you soon," the video ends, depicting hands in handcuffs.

The Register asked the Politie if any arrests had yet been made and for additional details about the case, but it didn't immediately respond. 

However, the website dedicated to Operation Magnus indicates that if arrests haven't yet been made, they may soon be. 

"Involved parties will be notified, and legal actions are underway," the site reads.

The next update on the operation's efforts is scheduled for Tuesday morning, per a countdown on its website.

Key cogs removed

Information-stealing malware strains such as Redline and Meta are crucial tools for cybercriminals in the early stages of attacks.

Often spread through phishing emails and compromised websites, these stealers are built to scan a victim's machine for secrets and credentials stored in the likes of browsers, emails, messaging apps, and other software that can eventually be used for more significant attacks.

Credentials are either used by the individual(s) behind the infostealer for their own nefarious activities, or sold on to others who use them to compromise organizations, often leading to ransomware or other lucrative attacks.

Redline has been around for some time, with researchers first spotting it in 2020. It's described as an affordable malware-as-a-service (MaaS) with prices starting at just $150 per user, rising to $800 for the fully featured "pro" version.

Illustrating how trusted and popular the Redline stealer was, the serial extortionists that comprise Scattered Spider are known customers of the malware while other major crews are also keen on using infostealers more generally.

Meta is a comparably newer malware, first seen in 2022 and most often spreads via phishing emails.

Security shop Acronis said it was being sold for $125 or $1,000 for the lifetime-access version, offering capabilities similar to Redline.

"This malware is currently distributed through a widespread email campaign, luring victims with a purported offer of a 'refund' via money transfer," said Acronis around the time of its launch. "A seemingly innocuous DocuSign file attachment actually contains malicious macros that deliver the infostealer."

• LockBit ransomware gang disrupted by global operation
• Cops turn LockBit ransomware gang's countdown timers against them
• Infosys subsidiary named as source of Bank of America data leak
• LockBit shows no remorse for ransomware attack on children's hospital

SentinelOne also noted that at the start of the year, Meta was targeting macOS users specifically. According to its data, customers of the MaaS were posing as prospective clients of businesses using Macs to social engineer them into installing the Meta stealer.

The number of infostealers on the market means the disruption of Redline and Meta is unlikely to yield much in the way of material impact on the cybercrime landscape. 

Similar to the ransomware ecosystem, there are always replacements ready and waiting to pick up business when others fall. 

However, if officials are able to arrest key members of the teams behind the Redline and Meta stealers, Operation Magnus will be seen as a net win for law enforcement. ®