Jabber Zeus
Jabber Zeus was a cybercriminal syndicate and associated Trojan horse created and run by hackers and money launderers based in Russia, the United Kingdom, and Ukraine.[lower-alpha 1] It was the second main iteration of the Zeus malware and racketeering enterprise, succeeding Zeus and preceding Gameover Zeus.
Jabber Zeus was operational from around 2009 until 2010. The crew, consisting of nine core members, sent spam emails containing the Trojan to small businesses. The Trojan would send the victim's banking information, including one-time passwords, in real-time, using the Jabber protocol, to the criminals, who would use the information to drain the victim's bank account of funds and launder it using a massive network of money mules, where it would eventually reach the group. The malware may also have been used for espionage. In September 2010, the Trojan was updated to include several other capabilities designed to enhance its security.
Between September 30 and October 1 of 2010, several key members and money mules for the group were arrested in a joint operation between the Federal Bureau of Investigation, the Russian Federal Security Service, the Security Service of Ukraine, and police agencies in the United Kingdom and the Netherlands. Although the individuals arrested in Ukraine were quickly released due to core member Vyacheslav Penchukov's government connections and no conspirators were arrested in Russia, the group was effectively shut down by the arrests. A year later, in September 2011, the group and malware would re-emerge as Gameover Zeus.
Organization and activity
Core members
An indictment filed in the District of Nebraska on August 22, 2012, listed nine core Jabber Zeus members:
- Evgeniy Bogachev, alias "lucky12345",[lower-alpha 2] a resident of Russia. Bogachev was the primary developer of the Jabber Zeus malware and the preceding Zeus Trojan creation kit.[10]
- Vyacheslav Penchukov, aliases "tank" and "father", a resident of Ukraine. Penchukov coordinated the movement of stolen bank credentials, as well as the money mule network.[11] He was the first person to be notified by the malware of an infection and the only member of the crew to communicate with Bogachev.[12]
- Yevhen Kulibaba, alias "jonni", a resident of the United Kingdom. Kulibaba was the alleged ringleader of the group,[13][14] but this is disputed by Brian Krebs and Patrick O'Neill, who state that Penchukov or Bogachev, respectively, was the leader.[lower-alpha 3][12]
- Yuriy Konovalenko, alias "jtk0", a resident of the United Kingdom. Konovalenko served as Kulibaba's right-hand man in the UK,[13] providing him with banking details from victims and money mules, and collecting data from his co-conspirators.[11]
- Ivan Klepikov, aliases "petr0vich" and "nowhere", a resident of Ukraine. Klepikov was a system administrator for the crew.[11]
- Alexey Bron, alias "thehead", a resident of Ukraine. Bron managed the transfer of funds using the online payment service WebMoney.[11]
- Alexey Tikonov, alias "kusanagi", a resident of Russia. Tikonov was a coder for the criminal enterprise.[11]
- Maksim Yakubets, alias "aqua",[lower-alpha 4] a resident of Russia. Yakubets managed and recruited money mules for the group.[12][17]
- "mricq", real name unknown, a resident of Ukraine. "mricq" was a coder for the crew.[18]
The indictment charged the core members with bank and computer fraud, racketeering, and identity theft.[1][19]
Modus operandi and the Jabber Zeus malware
The Jabber Zeus crew operated by distributing, usually via spam emails,[20] and installing the namesake malware onto victims' computers, then using it to gain access to their bank accounts. Money would be stolen from the accounts and transferred to a network of money mules who would launder the money before it eventually reached the criminals. The money mules were usually unaware that they were handling stolen finances.[17] The FBI claimed in 2010 that more than 3,500 such money mules existed.[21] The Jabber Zeus crew primarily targeted small businesses.[15] In 2010, investigators estimated that at minimum, $70 million had been stolen by the criminals, with the true number being much higher.[7]
The crew's activity dates back to at least 2009. The initial version of the Jabber Zeus malware was built from the standard Zeus kit, then known as Zeus 2.[22] The malware was mainly distinguished from other Zeus variants by a modification allowing it to send victims' banking credentials, particularly one-time passwords, to the criminals as soon as the victim logged in. The message was sent via the Jabber protocol,[23][24] hence the name "Jabber Zeus".[10] In September 2010, Bogachev provided the crew with a specialized version of the malware, known as ZeuS 2.1.0.X.[25] This contained other unique capabilities, including a domain generation algorithm to prevent shutdown attempts, regular expression support, and the ability to infect files.[26] The malware was additionally protected by an encryption key that required Penchukov to purchase each copy individually at a cost of $10,000 per copy.[7]
Infected machines, as with other Zeus variants, formed a botnet that could be accessed and controlled by the group.[27] Analysis of several Zeus variants, including Jabber Zeus, uncovered attempts by this botnet to search for secret and sensitive information in Georgia, Turkey, and Ukraine, leading to suspicion that the malware was additionally used for espionage on behalf of Russia.[28]
On September 11, 2011, the Jabber Zeus malware was updated to Gameover Zeus, the final known variant of Zeus developed by Bogachev.[29]
Conflict with Brian Krebs
On July 2, 2009, the Washington Post published a story by Brian Krebs describing the Jabber Zeus crew's theft of $415,000 from the government of Bullitt County, Kentucky.[30] Shortly after, Krebs was contacted by an individual who had hacked into the crew's Jabber instant message server and was able to read private chats between them. The members of the syndicate were also aware of the Washington Post story, and expressed frustration that their exploits were now public information; in a chat between Penchukov and Bogachev, the former claimed that "now the entire USA knows about Zeus", to which Bogachev concurred: "It's fucked." Members of the crew would keep up with Krebs's writing thereafter.[10]
Krebs also gained access to the messages sent to the money mules by the group, exploiting a security flaw in the money mule recruitment websites that allowed an automated scraper to grab messages sent to any other user; users could, after logging in, read messages to other users by changing a number in the URL.[17] With this access, he was able to prevent and write about several breach attempts by the crew by contacting victim businesses. On December 13, 2009, the crew discovered that Krebs had been let go by the Washington Post prior to this information becoming public, and celebrated the event, with a money mule recruiter hoping for an eventual confirmation of the rumor: "Good news expected exactly by the New Year!"[15]
Investigation
Operation Trident Breach
In September 2009, the Federal Bureau of Investigation (FBI) obtained a search warrant for a server in New York that was suspected of being tied to the Jabber Zeus enterprise. The server was discovered to contain the crew's chats, which the FBI began monitoring.[7] Shortly thereafter, they began to share information from the chats with Russia's Federal Security Service (FSB) and the Security Service of Ukraine (SBU).[12] Penchukov was identified around this time; he had sent a message on July 22 containing his newborn daughter's name and weight, which was correlated with Ukrainian birth records.[15] In April 2010, the crew became aware that they were being monitored, possibly tipped off by a corrupt SBU agent, but continued to send messages using the compromised server for a time.[12]
The FBI organized Operation Trident Breach, a collaboration between the FBI, FSB, SBU, and police agencies in the UK and the Netherlands, in 2010 to capture the leaders of the Jabber Zeus group. The operation was mainly coordinated in June 2010, at a house owned by SBU director Valeriy Khoroshkovskyi, with the agencies planning to arrest the suspects on September 29 of that year. However, the operation was pushed back several times, eventually to October 1, at the request of the SBU, by which point they had lost track of Penchukov.[12] Penchukov had been tipped off about the upcoming operation and had gone into hiding.[15]
Between September 30 and October 1, 2010, Operation Trident Breach was executed, resulting in the arrest of 39 US citizens, 20 UK residents, and five Ukrainians.[31] There were no arrests in Russia.[12] The operation had started a day early in response to reports that Penchukov and other suspects had been tipped off.[21] Among the arrested were Kulibaba and Konovalenko, who were convicted in the UK in 2011,[32] then extradited to the US in 2014,[11] and Klepikov, who was not extradited due to the Ukrainian constitution's prohibition on extraditing citizens and eventually let go along with the other arrested Ukrainians. Penchukov, leveraging his connections with Ukrainian president Viktor Yanukovych and local authorities in his hometown of Donetsk, managed to get the charges against himself dropped.[12][10] Despite the escape of several key members, the syndicate was disrupted and effectively shut down by the operation.[7]
Identification of Bogachev and Yakubets
Bogachev and Yakubets's identities were not publicly known until after Jabber Zeus dissolved and reformed into Gameover Zeus in the wake of the arrests; they were only known by their pseudonyms, "lucky12345" and "aqua", respectively, as members of the group. Bogachev was also known as "Slavik", though he was not identified as such in the 2012 indictment.[33]
Bogachev was identified in 2014, after a source pointed investigators working for Fox-IT, a security research company, to one of his email addresses. Although Bogachev had used a VPN to administer the Gameover Zeus botnet, he had used the same VPN to access his personal accounts, allowing investigators, who had previously penetrated the botnet's command servers, to tie the system to Bogachev.[7][34]
Yakubets was formally identified in a criminal complaint on November 14, 2019, based on evidence collected from 2010 to 2018. An attempt to determine who rented the Jabber server the FBI breached in 2009 uncovered no leads, as the server was rented under a false name.[23] On July 9, 2010, US authorities sent a mutual legal assistance request to Russia for information regarding "aqua"; Russian authorities responded with evidence that "aqua" was Yakubets, obtained from his email account, which used the "aqua" pseudonym, but contained emails identifying him by his real name, as well as his address. On December 25, 2012, a woman who was found to be living at Yakubets's address identified her spouse as Yakubets in a visa application and listed a boy traveling with her as her son. The child's name was found in intercepted chat logs between Yakubets and Penchukov from 2009. On March 19, 2018, Microsoft, following a court order, provided records connecting Yakubets's Skype account and his email. On August 12, 2018, Yakubets's now-ex-wife and her son applied for another visa, again listing Yakubets as the woman's ex-husband.[35][36]
Arrest of Penchukov
Penchukov was arrested in Geneva, Switzerland, on October 23, 2022, and his extradition to the United States was granted on November 15. Penchukov's arrest was given by CNN writer Sean Lyngaas and Krebs as an example of the opportunities to arrest cybercriminals opened up by the Russian invasion of Ukraine as they flee the country for their own safety.[37][38]
See also
- List of computer criminals
- Timeline of computer viruses and worms
- Dridex, separate malware conspiracy involving Yakubets
- Torpig, another botnet spread through Trojan horses
- Black hat (computer security), term analogous to "cybercriminals"
Notes and references
Notes
- The syndicate's name is also rendered as Jabberzeus,[1] JabberZeus,[2] Jabber ZeuS,[3] and JabberZeuS,[4] but its members referred to it as the "business club".[5] The malware was known additionally as Licat, Murofet, and ZeuS 2.1.0.X,[6] the latter of which was often shortened to Zeus 2.1.[7][8]
- Referred to as "John Doe #1" in the 2012 indictment. He was formally tied to the "lucky12345" moniker in another indictment issued on May 30, 2014.[9]
- Krebs had referred to Kulibaba as the crew's ringleader in 2015,[10] but in 2022 he had named Penchukov as its leader.[15]
- Referred to as "John Doe #2" in the 2012 indictment. He was formally tied to the "aqua" moniker in a criminal complaint issued on November 14, 2019.[16]
References
- "Evolution of the GOLD EVERGREEN Threat Group". Secureworks. May 17, 2017. Archived from the original on January 27, 2023. Retrieved May 5, 2023.
- Stahie, Silviu (November 18, 2022). "Alleged JabberZeus Crime Gang Leader Arrested in Switzerland". Bitdefender Blog. Archived from the original on May 5, 2023. Retrieved May 5, 2023.
- Danchev, Dancho (June 2, 2021). "Profiling the "Jabber ZeuS" Rogue Botnet Enterprise – An Analysis". WhoisXML API. Archived from the original on December 5, 2022. Retrieved May 5, 2023.
- Bederna, Zsolt; Szádeczky, Tamás (2021). "Effects of botnets – a human-organisational approach". Security and Defence Quarterly. 35 (3): 35. doi:10.35467/sdq/138588.
- Sandee 2015, p. 6.
- Sandee 2015, p. 4.
- Graff, Garrett M. (March 21, 2017). "Inside the Hunt for Russia's Most Notorious Hacker". WIRED. Archived from the original on April 23, 2023. Retrieved May 7, 2023.
- Peterson, Sandee & Werner 2015, 7:42–7:47.
- "EVGENIY MIKHAILOVICH BOGACHEV". FBI.gov. Federal Bureau of Investigation. May 27, 2014. Archived from the original on April 23, 2023. Retrieved May 5, 2023.
- Krebs, Brian (February 25, 2015). "FBI: $3M Bounty for ZeuS Trojan Author". Krebs on Security. Archived from the original on April 7, 2023. Retrieved May 5, 2023.
- "Nine Charged in Conspiracy to Steal Millions of Dollars Using "Zeus" Malware". Justice.gov. Department of Justice. October 6, 2011. Archived from the original on April 22, 2023. Retrieved May 7, 2023.
- O'Neill, Patrick Howell (July 8, 2021). "Inside the FBI, Russia, and Ukraine's failed cybercrime investigation". MIT Technology Review. Archived from the original on April 27, 2023. Retrieved May 7, 2023.
- "Ringleaders of £3m online 'Trojan' bank scam jailed". BBC. November 1, 2011. Archived from the original on July 11, 2021. Retrieved May 7, 2023.
- Dunn, John E. (October 6, 2011). "Zeus Trojan Gang Member Gets Jail for Huge UK Fraud". CSO Online. Archived from the original on May 7, 2023. Retrieved May 7, 2023.
- Krebs, Brian (November 15, 2022). "Top Zeus Botnet Suspect "Tank" Arrested in Geneva". Krebs on Security. Archived from the original on April 10, 2023. Retrieved May 7, 2023.
- "MAKSIM VIKTOROVICH YAKUBETS". FBI.gov. Federal Bureau of Investigation. April 29, 2019. Archived from the original on March 17, 2023. Retrieved May 5, 2023.
- Krebs, Brian (December 16, 2019). "Inside 'Evil Corp,' a $100M Cybercrime Menace". Krebs on Security. Archived from the original on March 23, 2023. Retrieved May 6, 2023.
- D. Neb 2019, p. 3.
- US v. Penchukov et al. (indictment), 4:11CR 3074, pp. 1–15 (D. Neb. August 22, 2012).
- Peterson, Sandee & Werner 2015, 2:45–2:53.
- Krebs, Brian (October 2, 2010). "Ukraine Detains 5 Individuals Tied to $70 Million in U.S. eBanking Heists". Krebs on Security. Archived from the original on March 6, 2023. Retrieved May 7, 2023.
- Peterson, Sandee & Werner 2015, 6:09–7:47.
- Gruber et al. 2022, p. 9.
- Al-Bataineh, Areej; White, Gregory (2012). "Analysis and detection of malicious data exfiltration in web traffic". 2012 7th International Conference on Malicious and Unwanted Software. International Conference on Malicious and Unwanted Software. Fajardo, Puerto Rico: IEEE. p. 27. doi:10.1109/MALWARE.2012.6461004.
- Peterson, Sandee & Werner 2015, 6:09-7:47.
- Peterson, Sandee & Werner 2015, 7:47–8:13.
- Sandee 2015, p. 4-5.
- Sandee 2015, p. 21-22.
- Peterson, Sandee & Werner 2015, 8:19–8:33.
- Krebs, Brian (July 2, 2009). "PC Invader Costs Ky. County $415,000". Washington Post. Archived from the original on September 18, 2020. Retrieved May 7, 2023.
- Frieden, Terry (October 1, 2010). "FBI announces arrests in $70 million cyber-theft". CNN. Archived from the original on November 3, 2022. Retrieved May 7, 2023.
- Krebs, Brian (October 4, 2011). "ZeuS Trojan Gang Faces Justice". Archived from the original on February 7, 2023. Retrieved May 7, 2023.
- Stahl, Lesley (April 21, 2019). "The growing partnership between Russia's government and cybercriminals". CBS. Archived from the original on January 18, 2023. Retrieved May 7, 2023.
- Peterson, Sandee & Werner 2015, 41:06–41:31.
- D. Neb 2019, p. 26-30.
- Gruber et al. 2022, p. 9-10.
- Lyngaas, Sean (November 16, 2022). "Swiss arrest alleged Ukrainian cybercriminal hunted by the FBI for a decade". CNN. Archived from the original on May 6, 2023. Retrieved May 6, 2023.
- Krebs, Brian (May 4, 2023). "$10M Is Yours If You Can Get This Guy to Leave Russia". Krebs on Security. Archived from the original on May 6, 2023. Retrieved May 7, 2023.
General sources
- Gruber, Jan; Voight, Lena L.; Benenson, Zinaida; Freiling, Felix C. (September 2022). "Foundations of cybercriminalistics: From general process models to case-specific concretizations in cybercrime investigation". Forensic Science International: Digital Investigation. 43 (Supplement). doi:10.1016/j.fsidi.2022.301438.
- Peterson, Elliott; Sandee, Michael; Werner, Tillmann (August 5, 2015). GameOver Zeus: Badguys And Backends (Speech). Black Hat Briefings. Las Vegas. Archived from the original on March 31, 2023. Retrieved May 7, 2023.
- Sandee, Michael (August 5, 2015). “GameOver ZeuS: Backgrounds on the Badguys and the Backends (PDF). Black Hat Briefings. Las Vegas.
- US v. Yakubets. (complaint), 4:19MJ3142 (D. Neb. November 14, 2019).