The US government has named and charged a Russian citizen, Maxim Rudometov, with allegedly developing and operating the infamous Redline infostealer.
The story of how the FBI found and identified the alleged Russian malware developer involves years of digital sleuthing that unraveled the suspect’s online monikers, email and IP addresses, the iCloud account he allegedly used for gaming and sharing codes, plus his dating and social media profiles were connected. .
It also serves as a cautionary tale for would-be cybercriminals about the potential pitfalls of leaving a permanent digital footprint for law enforcement to track – but more on that later.
Redline, which the FBI says has been used to infect millions of computers worldwide since February 2020, was sold to other criminals through a malware-as-a-service model in which affiliates pay a fee to use the infostealer in their own campaigns.
Once deployed on targeted machines, the data-stealing malware retrieves victims’ personal and financial information, saved login credentials, and cryptocurrency access tokens and sends this sensitive information to a server operated by a Redline affiliate.
Operation Magnus
The newly revealed criminal complaint, filed two years ago in the Western District of Texas, costs Rudometov with access device fraud, conspiracy to commit computer intrusion and money laundering. It’s part of a larger international effort called Operation Magnus and led by Dutch police who yesterday shut down the servers powering Redline and Meta infostealers.
In addition to the complaint against Rudometov, the US Department of Justice unsealed a warrant (PDF) which authorized law enforcement to seize two domains used by Redline and Meta for command and control and registered by NameCheap, a Phoenix-based domain registrar.
If convicted, Rudometov faces a maximum sentence of 10 years in prison for access device fraud, five years for conspiracy and 20 years behind bars for money laundering.
However, since he is believed to live in Krasnodar, Russia, this is based on an IP address used to play a mobile game while logged into an Apple iCloud account that the FBI says belongs to Rudometov, plus several photos in his iCloud account with metadata showing they were picked up in Krasnodar and have yet to be arrested, it’s unlikely a perp walk will happen anytime soon.
The 18-page complaint (PDF) describes how a US Naval Criminal Investigative Service special agent assigned to the FBI’s Cyber Task Force in Austin, Texas, identified Rudometov, and it started with a March 2020 blog claiming that Redline was created by two developers using the nicknames “Dendirror” and “Alinchok”, the post also contained a rough analysis of the Redline infostealer.
How to catch a cybercriminal
Further investigation revealed posts on several Russian-language hacking forums under the Dendimirror as early as 2017 that were connected to another infostealer called “MysteryStealer”.
Also around this time, a private U.S. security firm discovered a Yandex email address in a leaked database “used by an unnamed Russian-language hacker forum that was used to register an account using the name Dendirror,” the court documents explain out.
Yandex is a Russian communications company and later research linked this email address to other names, including ‘GHackiHG’ connected to Dendimirror, plus Google and Apple services used by Rudometov, along with a dating profile.
“The association between the name GHackiHG and Dendimirror was further confirmed by information shared on various hacker forums by users going by both names, including some in their contact information: a Skype username known to law enforcement, the Yandex-e- email address and a VK profile owned by a person named “Максим Рудомётов (Maxim Rudometov),” according to the complaint.
VK is a Russian social media site. The profile and photos posted by this account closely resembled an individual depicted in an advertisement included in the earlier March 2020 blog, which boasted of the promoter’s skills in coding and ‘ writing botnets and stealers’.
After discovering these connections, the FBI collected data from Apple, Google and Microsoft related to both the GHackiHG and Dendimirror nicknames, and discovered that the Yandex email address had been used by Rudometov to register an Apple account .
“A court-authorized search of this Apple account revealed an associated iCloud account and numerous files that antivirus programs identified as malware, including at least one that the Department of Defense Cybercrime Center analyzed and determined that it was RedLine,” the court documents. remark.
In August 2021, law enforcement obtained a copy of part of the license server used by Redline from an unnamed security company, and found a trove of data in server logs linked to Rudometov’s various accounts and services.
This included an IP address requesting a build of RedLine from the license server, another IP address used over 700 times to access an iCloud account belonging to Rudometov that contained Redline malware code, a Binance cryptocurrency exchange account registered with the Yandex email address, a GitHub account and “numerous” other links between the Russian and the Redline infostealer.
“In summary, there are numerous financial and IP connections between online accounts registered to Rudometov and the server used by the RedLine malware to configure deployable versions of the infostealer,” the court documents say. ®