U.S. authorities announced that they have charged Russian national Maxim Rudometov for his involvement in leading operations for two malware-as-a-service (MaaS) platforms. This comes just one day after it was revealed that Operation Magnus, an international police coalition, disrupted the two platforms, RedLine and META (no relation to Facebook's parent company).
Operation Magnus revealed that Rudometov regularly accessed and managed the RedLine info stealer infrastructure, and was associated with cryptocurrency accounts used to receive and launder payments. He was charged by the U.S. Department of Justice (DoJ) with access device fraud, conspiracy to commit computer intrusion, and money laundering. If convicted of all three charges, Rudometov could face up to 35 years in prison. However, authorities have not indicated whether Rudometov was in custody or charged in absentia.
Two individuals were also arrested in Belgium in connection to Operation Magnus, one of which is alleged to be a customer of the MaaS platform. The other has since been released.
Led by Dutch Police, ‘Operation Magnus’ included several international partners such as the Federal Bureau of Investigation (FBI), DoJ, and Eurojust. The operation was responsible for the takedown of three servers in the Netherlands and the seizure of two domains and Telegram channels used for RedLine and META command and control.
Source: Bleeping Computer
Analysis
The whereabouts of Rudometov are currently unknown. Should he still be in Russia, it is highly unlikely that Russian authorities will arrest Rudometov and extradite him to the U.S. to face the charges laid by the DoJ, rendering the charges largely symbolic in nature. If Rudometov remains free, Operation Magnus’s takedown of RedLine and META infrastructure will likely only have a short-term impact on the platforms’ operations as Rudometov can easily acquire new infrastructure to replace it.
The charges will however have a serious impact on Rudometov’s travel throughout the world, as he risks being arrested if he travels to any country that chooses to cooperate with the DoJ.
The FBI has been involved in operations similar to Operation Magnus, which purpose is to disrupt and arrest threat actors. For example, Operation Chronos dismantled the operational backbone of the LockBit Ransomware-as-a-Service (RaaS) by taking over the group’s primary administrative site and its dark web leak platform, where stolen data was usually showcased to pressure victims into paying ransoms. As part of the takedown, the site was used to provide decryption keys to help past victims recover their files. While this operation dealt a hard blow to LockBit’s operations, the group was eventually able to restore its operations through the acquisition of new infrastructure and tooling.
Mitigation
Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for emerging threats emanating from MaaS platforms like RedLine and META. Field Effect MDR users are automatically notified if activity associated with these info stealers is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
The best way for organizations to protect themselves from information-stealing malware such as RedLine and META is to make every effort to stop the malware from getting on their network in the first place. This can be done by deploying endpoint/network protection and monitoring, like Field Effect MDR, and by providing users with security awareness training that helps users recognize and report suspicious emails and files.
Related Articles