Tracking the FBI’s Most Wanted: "RedLine" Info-Stealer Creator Maxim Rudometov
2024-11-4 15:22:8 Author: www.osinord.com(查看原文) 阅读量:11 收藏

A coalition of international law enforcement agencies has been investigating the creator and distributor of the notorious infostealer variant RedLine in an operation codenamed “Operation Magnus.” RedLine, a MaaS (Malware-as-a-Service), has stolen sensitive data from millions of users worldwide, including credit card information, browser history, autofill form data, emails, and passwords. Active since 2020, RedLine is one of the most widespread infostealer variants. Read more.

In August 2021, law enforcement obtained a portion of data from one of RedLine's licensing servers, which was voluntarily reported by a security company to the U.S. government. U.S. investigators then secured a search warrant to analyze the data, uncovering evidence linking Maxim Rudometov to the development and deployment of RedLine. According to an FBI arrest warrant, Rudometov was found to be interacting with or accessing the licensing server using multiple usernames.

On May 16, 2021, a username “Heijs” using an IP address ending in -.180 requested a build of RedLine from the licensing server. Approximately nine minutes later, the same IP address was logged by Apple as having accessed an iCloud account belonging to Maxim Rudometov. Further IP addresses associated with Rudometov’s online accounts also interacted with the RedLine licensing server, under usernames “Admin12” and “testpanel.”

Additionally, on May 2, 2021, an individual using an IP address ending in -.14 signed a malicious file via the licensing server. About an hour earlier, the same IP address was logged into an Apple iCloud account belonging to Rudometov while playing a mobile game. The IP address was assigned to an Internet Service Provider in Krasnodar, Russia, and was later linked to a Skype account used on hacker forums and to access a GitHub repository containing a known exploit for Windows devices. In July 2021 alone, this IP address reportedly accessed the iCloud account approximately 701 times. Source. The FBI announced the following pictures of Maxim Rudometov in their announcement.

What We Know So Far

There is strong evidence implicating Maxim Rudometov as a significant individual behind the MaaS RedLine. His IP address is associated with an Internet Service Provider located in Krasnodar, Russia. Additionally, he has been located in Luhansk, Ukraine at some point in his life.

Beginning Our OSINT Investigation

We found supporting evidence indicating that Maxim Rudometov was indeed in Luhansk, Ukraine, in 2021. During that time, he obtained a driver’s license from a driving school in Luhansk called "AutoLux."

Although the picture above is presumably newer than those provided by the FBI, we were able to find recent photos of Maxim Rudometov, further expanding the timeline of his whereabouts. Maxim Rudometov frequently gets tattooed at a specific salon in Krasnodar, as seen on the artist’s Instagram account.

The Extravagant Lifestyle of Maxim Rudometov We have, on multiple occasions, located Rudometov at upscale nightclubs, bars, and restaurants, which provides interesting information about his lifestyle and whereabouts. Additionally, as we will see, we have found the most recent pictures of Maxim Rudometov, taken this summer (July 28, 2024).

But first, we will geolocate Rudometov’s whereabouts.

Here, Maxim Rudometov is seen with some close friends. We were able to geolocate the bar by conducting in-depth SOCMINT and analyzing various details visible in the image above.

As can be seen in the blue and yellow circles, the windows and furniture match each other, which supports the hypothesis. We then analyzed the EXIF data of the image of Maxim, which provided us with the name of the photographer.

It was then possible to correlate the photographer’s photo album of Maxim to a bar called Petrovodkin Bar, which is located in Krasnodar, Russia.

We were also able to locate Maxim Rudometov at a club called ‘La Villa’, which is also located in the heart of Krasnodar. The pictures were taken on May 19, 2023.

Introducing the most recent picture of Maxim Rudometov

The following picture was posted on Instagram on July 28, 2024. This is the most recent picture of Maxim Rudometov, as seen in the purple circle.

We then geolocated the above picture. As can be seen in the below picture, we used Yandex Street View to find the exact location of the bar.

You can see the same facade, tree, sign, and structure of the building by comparing the circles, but let’s take a closer look at the structures seen on the right and compare them to the group picture of Maxim.

As can be seen, the structures are identical to the group picture. Furthermore, by inspecting the business listing on Yandex, there were multiple pictures of the same facade outside the bar.

The bar is called “Ракета и Казбек” and is also located in Krasnodar, Russia. We could then locate Maxim Rudometov at a bar in late July 2024.

Maxim Rudometov’s contemporary online presence

We were able to identify Maxim’s Instagram account, which is still active. He is commenting on several of his friend’s pictures, but they are not following each other indicating that he might have improved his OPSEC measures. We could still locate Maxim Rudometov in various pictures shared by his close friends.

Let’s go back to the picture from the Petrovodkin bar.

We were able to figure out who was sitting on the other side of the table.

By conducting in-depth Social Media Intelligence (SOCMINT) on the above individuals, we were able to find multiple other pictures of Maxim.

All of the people appearing in the Polaroid pictures were tagged on Instagram, including Maxim Rudometov.

We were also able to locate his Instagram account. Even though the account was private, it was possible to find multiple people tagging rudometov.maxim in various posts, videos, stories, and pictures.

This is his Instagram account:

As can be seen, the account is closed. But there’s some interesting information present in the profile picture. We can clearly see a Mercedes Benz. We’ve found an interesting story posted by one of Maxim’s friends. As can be seen below.

By comparing the interior from Maxim’s video to the interior of a Mercedes Benz E-Class Coupe, we can see identical features.

Also, we can compare the Mercedes from Maxim’s Instagram profile picture to a Mercedes Benz E-Class Coupe from the outside.

We can see that the grill and front lights are identical to the pictures on his Instagram account.


文章来源: https://www.osinord.com/post/tracking-the-fbi-s-most-wanted-redline-info-stealer-creator-maxim-rudometov
如有侵权请联系:admin#unsafe.sh