Uncle Sam outs a Russian accused of developing Redline infostealing malware

The US government has named and charged a Russian national, Maxim Rudometov, with allegedly developing and administering the notorious Redline infostealer. 

The story of how the FBI found and identified the alleged Russian malware developer spans years of digital detective work connecting the suspect's online monikers, email and IP addresses, the iCloud account he reportedly used for gaming and code sharing, plus his dating and social media profiles. 

It also serves as a cautionary tale for would-be cybercriminals about the potential pitfalls of leaving a permanent digital footprint for law enforcement to track — but more on that in a minute.

Redline, which the feds say has been used to infect millions of computers worldwide since February 2020, was sold to other criminals via a malware-as-a-service model under which affiliates pay a fee to use the infostealer in their own campaigns.

Once deployed on targeted machines, the data-stealing malware scoops up victims' personal and financial information, saved credentials, and cryptocurrency access tokens, and sends this sensitive info to a server controlled by a Redline affiliate. 

Operation Magnus

The newly unsealed criminal complaint, filed two years ago in the Western District of Texas, charges Rudometov with access device fraud, conspiracy to commit computer intrusion, and money laundering. It's part of a larger international effort dubbed Operation Magnus and led by the Dutch police that yesterday shut down servers powering Redline and Meta infostealers.

In addition to the complaint against Rudometov, the US Justice Department unsealed a warrant [PDF] that authorized law enforcement to seize two domains used by Redline and Meta for command and control that were registered by NameCheap, a Phoenix-based domain registrar.

If convicted, Rudometov faces a maximum penalty of 10 years in prison for access device fraud, five years for the conspiracy charge and 20 years behind bars for money laundering. 

However, since he's believed to reside in Krasnodar, Russia - this is based on an IP address used to play a mobile game while logged into an Apple iCloud account that the FBI says belongs to Rudometov, plus several photos in his iCloud account that had metadata indicating they were taken in Krasnodar - and has yet to be arrested, a perp-walk is unlikely to happen anytime soon.

The 18-page complaint [PDF] details how a special agent with the US Naval Criminal Investigative Service, assigned to the FBI's Cyber Task Force in Austin, Texas, identified Rudometov, and it started with a March 2020 blog that alleged Redline was created by two developers who used the monikers "Dendimirror" and "Alinchok," The post also included a rough analysis of the Redline infostealer.

How to catch a cybercrim

Further research uncovered posts as far back as 2017 on several Russian-language hacking forums under the Dendimirror connected to a different infostealer, called "MysteryStealer." 

Also around this time, a private US security firm spotted a Yandex email address in a leaked database "used by an unnamed Russian-language hacker forum which was used to register an account that used the Dendimirror moniker," the court documents explain. 

Yandex is a Russian communications firm, and subsequent investigation linked this email address to other monikers including "GHackiHG" connected to Dendimirror, plus Google and Apple services used by Rudometov along with a dating profile.

"The association between moniker GHackiHG and Dendimirror was further corroborated by information shared on several hacker forums by users bearing both monikers, including several of which included in their contact information: a Skype username known to law enforcement, the Yandex email address, and a VK profile owned by an individual named "Максим Рудомётов (Maxim Rudometov)," according to the complaint. 

VK is a Russian social media site. The profile and photos posted by this account "bore a close resemblance to an individual depicted in an advertisement included" in the earlier March 2020 blog that bragged about the promoter's skills in coding plus "writing botnets and stealers."

After uncovering these connections, the feds obtained data from Apple, Google, and Microsoft related to both the GHackiHG and Dendimirror monikers, and found that the Yandex email address had been used to register an Apple account by Rudometov. 

• Belgian cops cuff 2 suspected cybercrooks in Redline, Meta infostealer sting
• Dutch cops pwn the Redline and Meta infostealers, leak 'VIP' aliases
• Brazen crims selling stolen credit cards on Meta's Threads
• Feds investigate China's Salt Typhoon amid campaign phone hacks

"A judicially authorized search of this Apple account revealed an associated iCloud account and numerous files that were identified by antivirus engines as malware, including at least one that was analyzed by the Department of Defense Cybercrime Center and determined to be RedLine," the court documents note.

In August 2021, law enforcement obtained a copy of a portion of the licensing server used by Redline from an unnamed security firm, and found a treasure trove of data within server logs that linked to Rudometov's various accounts and services. 

This included an IP address requesting a build of RedLine from the licensing server, another IP address used more than 700 times to access an iCloud account belonging to Rudometov that contained Redline malware code, a Binance cryptocurrency exchange account registered using the Yandex email address, a GitHub account and "numerous" other links between the Russian and the Redline infostealer. 

"In summary, there are numerous financial and IP connections between online accounts registered to Rudometov and the server which is used by the RedLine malware to configure deployable versions of the infostealer," according to the court documents. ®