Jabber Zeus

Last updated

Jabber Zeus was a cybercriminal syndicate and associated Trojan horse created and run by hackers and money launderers based in Russia, the United Kingdom, and Ukraine. [lower-alpha 1] It was the second main iteration of the Zeus malware and racketeering enterprise, succeeding Zeus and preceding Gameover Zeus.

Contents

Jabber Zeus was operational from around 2009 until 2010. The crew, consisting of nine core members, sent spam emails containing the Trojan to small businesses. The Trojan would send the victim's banking information, including one-time passwords, in real-time, using the Jabber protocol, to the criminals, who would use the information to drain the victim's bank account of funds and launder it using a massive network of money mules, where it would eventually reach the group. The malware may also have been used for espionage. In September 2010, the Trojan was updated to include several other capabilities designed to enhance its security.

Between September 30 and October 1 of 2010, several key members and money mules for the group were arrested in a joint operation between the Federal Bureau of Investigation, the Russian Federal Security Service, the Security Service of Ukraine, and police agencies in the United Kingdom and the Netherlands. Although the individuals arrested in Ukraine were quickly released due to core member Vyacheslav Penchukov's government connections and no conspirators were arrested in Russia, the group was effectively shut down by the arrests. A year later, in September 2011, the group and malware would re-emerge as Gameover Zeus.

Organization and activity

Core members

An indictment filed in the District of Nebraska on August 22, 2012, listed nine core Jabber Zeus members:

The indictment charged the core members with bank and computer fraud, racketeering, and identity theft. [1] [19]

Modus operandi and the Jabber Zeus malware

The Jabber Zeus crew operated by distributing, usually via spam emails, [20] and installing the namesake malware onto victims' computers, then using it to gain access to their bank accounts. Money would be stolen from the accounts and transferred to a network of money mules who would launder the money before it eventually reached the criminals. The money mules were usually unaware that they were handling stolen finances. [17] The FBI claimed in 2010 that more than 3,500 such money mules existed. [21] The Jabber Zeus crew primarily targeted small businesses. [15] In 2010, investigators estimated that at minimum, $70 million had been stolen by the criminals, with the true number being much higher. [7]

The crew's activity dates back to at least 2009. The initial version of the Jabber Zeus malware was built from the standard Zeus kit, then known as Zeus 2. [22] The malware was mainly distinguished from other Zeus variants by a modification allowing it to send victims' banking credentials, particularly one-time passwords, to the criminals as soon as the victim logged in. The message was sent via the Jabber protocol, [23] [24] hence the name "Jabber Zeus". [10] In September 2010, Bogachev provided the crew with a specialized version of the malware, known as ZeuS 2.1.0.X. [25] This contained other unique capabilities, including a domain generation algorithm to prevent shutdown attempts, regular expression support, and the ability to infect files. [26] The malware was additionally protected by an encryption key that required Penchukov to purchase each copy individually at a cost of $10,000 per copy. [7]

Infected machines, as with other Zeus variants, formed a botnet that could be accessed and controlled by the group. [27] Analysis of several Zeus variants, including Jabber Zeus, uncovered attempts by this botnet to search for secret and sensitive information in Georgia, Turkey, and Ukraine, leading to suspicion that the malware was additionally used for espionage on behalf of Russia. [28]

On September 11, 2011, the Jabber Zeus malware was updated to Gameover Zeus, the final known variant of Zeus developed by Bogachev. [29]

Conflict with Brian Krebs

On July 2, 2009, the Washington Post published a story by Brian Krebs describing the Jabber Zeus crew's theft of $415,000 from the government of Bullitt County, Kentucky. [30] Shortly after, Krebs was contacted by an individual who had hacked into the crew's Jabber instant message server and was able to read private chats between them. The members of the syndicate were also aware of the Washington Post story, and expressed frustration that their exploits were now public information; in a chat between Penchukov and Bogachev, the former claimed that "now the entire USA knows about Zeus", to which Bogachev concurred: "It's fucked." Members of the crew would keep up with Krebs's writing thereafter. [10]

Krebs also gained access to the messages sent to the money mules by the group, exploiting a security flaw in the money mule recruitment websites that allowed an automated scraper to grab messages sent to any other user; users could, after logging in, read messages to other users by changing a number in the URL. [17] With this access, he was able to prevent and write about several breach attempts by the crew by contacting victim businesses. On December 13, 2009, the crew discovered that Krebs had been let go by the Washington Post prior to this information becoming public, and celebrated the event, with a money mule recruiter hoping for an eventual confirmation of the rumor: "Good news expected exactly by the New Year!" [15]

Investigation

Operation Trident Breach

In September 2009, the Federal Bureau of Investigation (FBI) obtained a search warrant for a server in New York that was suspected of being tied to the Jabber Zeus enterprise. The server was discovered to contain the crew's chats, which the FBI began monitoring. [7] Shortly thereafter, they began to share information from the chats with Russia's Federal Security Service (FSB) and the Security Service of Ukraine (SBU). [12] Penchukov was identified around this time; he had sent a message on July 22 containing his newborn daughter's name and weight, which was correlated with Ukrainian birth records. [15] In April 2010, the crew became aware that they were being monitored, possibly tipped off by a corrupt SBU agent, but continued to send messages using the compromised server for a time. [12]

The FBI organized Operation Trident Breach, a collaboration between the FBI, FSB, SBU, and police agencies in the UK and the Netherlands, in 2010 to capture the leaders of the Jabber Zeus group. The operation was mainly coordinated in June 2010, at a house owned by SBU director Valeriy Khoroshkovskyi, with the agencies planning to arrest the suspects on September 29 of that year. However, the operation was pushed back several times, eventually to October 1, at the request of the SBU, by which point they had lost track of Penchukov. [12] Penchukov had been tipped off about the upcoming operation and had gone into hiding. [15]

Between September 30 and October 1, 2010, Operation Trident Breach was executed, resulting in the arrest of 39 US citizens, 20 UK residents, and five Ukrainians. [31] There were no arrests in Russia. [12] The operation had started a day early in response to reports that Penchukov and other suspects had been tipped off. [21] Among the arrested were Kulibaba and Konovalenko, who were convicted in the UK in 2011, [32] then extradited to the US in 2014, [11] and Klepikov, who was not extradited due to the Ukrainian constitution's prohibition on extraditing citizens and eventually let go along with the other arrested Ukrainians. Penchukov, leveraging his connections with Ukrainian president Viktor Yanukovych and local authorities in his hometown of Donetsk, managed to get the charges against himself dropped. [12] [10] Despite the escape of several key members, the syndicate was disrupted and effectively shut down by the operation. [7]

Identification of Bogachev and Yakubets

Bogachev and Yakubets's identities were not publicly known until after Jabber Zeus dissolved and reformed into Gameover Zeus in the wake of the arrests; they were only known by their pseudonyms, "lucky12345" and "aqua", respectively, as members of the group. Bogachev was also known as "Slavik", though he was not identified as such in the 2012 indictment. [33]

Bogachev was identified in 2014, after a source pointed investigators working for Fox-IT, a security research company, to one of his email addresses. Although Bogachev had used a VPN to administer the Gameover Zeus botnet, he had used the same VPN to access his personal accounts, allowing investigators, who had previously penetrated the botnet's command servers, to tie the system to Bogachev. [7] [34]

Yakubets was formally identified in a criminal complaint on November 14, 2019, based on evidence collected from 2010 to 2018. An attempt to determine who rented the Jabber server the FBI breached in 2009 uncovered no leads, as the server was rented under a false name. [23] On July 9, 2010, US authorities sent a mutual legal assistance request to Russia for information regarding "aqua"; Russian authorities responded with evidence that "aqua" was Yakubets, obtained from his email account, which used the "aqua" pseudonym, but contained emails identifying him by his real name, as well as his address. On December 25, 2012, a woman who was found to be living at Yakubets's address identified her spouse as Yakubets in a visa application and listed a boy traveling with her as her son. The child's name was found in intercepted chat logs between Yakubets and Penchukov from 2009. On March 19, 2018, Microsoft, following a court order, provided records connecting Yakubets's Skype account and his email. On August 12, 2018, Yakubets's now-ex-wife and her son applied for another visa, again listing Yakubets as the woman's ex-husband. [35] [36]

Arrest of Penchukov

Penchukov was arrested in Geneva, Switzerland, on October 23, 2022, and his extradition to the United States was granted on November 15. Penchukov's arrest was given by CNN writer Sean Lyngaas and Krebs as an example of the opportunities to arrest cybercriminals opened up by the Russian invasion of Ukraine as they flee the country for their own safety. [37] [38]

See also

Notes and references

Notes

  1. The syndicate's name is also rendered as Jabberzeus, [1] JabberZeus, [2] Jabber ZeuS, [3] and JabberZeuS, [4] but its members referred to it as the "business club". [5] The malware was known additionally as Licat, Murofet, and ZeuS 2.1.0.X, [6] the latter of which was often shortened to Zeus 2.1. [7] [8]
  2. Referred to as "John Doe #1" in the 2012 indictment. He was formally tied to the "lucky12345" moniker in another indictment issued on May 30, 2014. [9]
  3. Krebs had referred to Kulibaba as the crew's ringleader in 2015, [10] but in 2022 he had named Penchukov as its leader. [15]
  4. Referred to as "John Doe #2" in the 2012 indictment. He was formally tied to the "aqua" moniker in a criminal complaint issued on November 14, 2019. [16]

Related Research Articles

<span class="mw-page-title-main">Ransomware</span> Malicious software used in ransom demands

Ransomware is a type of malware from cryptovirology that threatens to publish the victim's personal data or permanently block access to it unless a ransom is paid off. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

Srizbi BotNet is considered one of the world's largest botnets, and responsible for sending out more than half of all the spam being sent by all the major botnets combined. The botnets consist of computers infected by the Srizbi trojan, which sent spam on command. Srizbi suffered a massive setback in November 2008 when hosting provider Janka Cartel was taken down; global spam volumes reduced up to 93% as a result of this action.

<span class="mw-page-title-main">Computer Crime and Intellectual Property Section</span> United States federal law enforcement agency

The Computer Crime and Intellectual Property Section (CCIPS) is a section of the Criminal Division of the U.S. Department of Justice in charge of investigating computer crime and intellectual property crime. They are additionally responsible for prosecuting privacy invasions by criminals such as hackers, cyberstalkers, and purveyors of mobile spyware, and specializing in the search and seizure of digital evidence in computers and on networks.

Clampi is a strain of computer malware which infects Windows computers. More specifically, as a man-in-the-browser banking trojan designed to transmit financial and personal information from a compromised computer to a third party for potential financial gain as well as report on computer configuration, communicate with a central server, and act as downloader for other malware. Clampi was first observed in 2007 affecting computers running the Microsoft Windows operating system.

Zeus, ZeuS, or Zbot is a Trojan horse malware package that runs on versions of Microsoft Windows. While it can be used to carry out many malicious and criminal tasks, it is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. It is also used to install the CryptoLocker ransomware. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009 security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek. Microsoft has launched an online tech team to tackle the problem of Zeus.

Alureon is a trojan and rootkit created to steal data by intercepting a system's network traffic and searching for banking usernames and passwords, credit card data, PayPal information, social security numbers, and other sensitive user data. Following a series of customer complaints, Microsoft determined that Alureon caused a wave of BSoDs on some 32-bit Microsoft Windows systems. The update, MS10-015, triggered these crashes by breaking assumptions made by the malware author(s).

The Rustock botnet was a botnet that operated from around 2006 until March 2011.

The Mariposa botnet, discovered December 2008, is a botnet mainly involved in cyberscamming and denial-of-service attacks. Before the botnet itself was dismantled on 23 December 2009, it consisted of up to 12 million unique IP addresses or up to 1 million individual zombie computers infected with the "Butterfly Bot", making it one of the largest known botnets.

Virut is a cybercrime malware botnet, operating at least since 2006, and one of the major botnets and malware distributors on the Internet. In January 2013, its operations were disrupted by the Polish organization Naukowa i Akademicka Sieć Komputerowa.

The CryptoLocker ransomware attack was a cyberattack using the CryptoLocker ransomware that occurred from 5 September 2013 to late May 2014. The attack utilized a trojan that targeted computers running Microsoft Windows, and was believed to have first been posted to the Internet on 5 September 2013. It propagated via infected email attachments, and via an existing Gameover ZeuS botnet. When activated, the malware encrypted certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware's control servers. The malware then displayed a message which offered to decrypt the data if a payment was made by a stated deadline, and it threatened to delete the private key if the deadline passes. If the deadline was not met, the malware offered to decrypt data via an online service provided by the malware's operators, for a significantly higher price in bitcoin. There was no guarantee that payment would release the encrypted content.

The Mevade Botnet, also known as Sefnit or SBC, is a massive botnet. Its operators are unknown and its motives seems to be multi-purpose.

Operation Tovar is an international collaborative operation carried out by law enforcement agencies from multiple countries against the Gameover ZeuS botnet, which is believed by the investigators to have been used in bank fraud and the distribution of the CryptoLocker ransomware.

<span class="mw-page-title-main">Gameover ZeuS</span> Peer-to-peer botnet

GameOver ZeuS (GOZ), also known as peer-to-peer (P2P) ZeuS, ZeuS3, and GoZeus, is a Trojan horse developed by Russian cybercriminal Evgeniy Bogachev. Created in 2011 as a successor to Jabber Zeus, another project of Bogachev's, the malware is notorious for its usage in bank fraud resulting in damages of approximately $100 million and being the main vehicle through which the CryptoLocker ransomware attack was conducted, resulting in millions of dollars of losses. At the peak of its activity in 2012 and 2013, between 500,000 and 1 million computers were infected with GameOver ZeuS.

An exploit kit is a tool used for automatically managing and deploying exploits against a target computer. Exploit kits allow attackers to deliver malware without having advanced knowledge of the exploits being used. Browser exploits are typically used, although they may also include exploits targeting common software, such as Adobe Reader, or the operating system itself. Most kits are written in PHP.

Dridex, also known as Bugat and Cridex, is a form of malware that specializes in stealing bank credentials via a system that utilizes macros from Microsoft Word.

SpyEye is a malware program that attacks users running Google Chrome, Opera, Firefox and Internet Explorer on Microsoft Windows operating systems. This malware uses keystroke logging and form grabbing to steal user credentials for malicious use. SpyEye allows hackers to steal money from online bank accounts and initiate transactions even while valid users are logged into their bank account and create bad limit

Citadel is a piece of massively-distributed malware based upon Zeus. It targets credentials stored in password managers such as Keepass, Password Safe and neXus Personal Security Client.

The Necurs botnet is a distributor of many pieces of malware, most notably Locky.

ZeuS Panda, Panda Banker, or Panda is a variant of the original Zeus under the banking Trojan category. Its discovery was in 2016 in Brazil around the time of the Olympic Games. The majority of the code is derived from the original Zeus trojan, and maintains the coding to carry out man-in-the-browser, keystroke logging, and form grabbing attacks. ZeuS Panda launches attack campaigns with a variety of exploit kits and loaders by way of drive-by downloads and phishing emails, and also hooking internet search results to infected pages. Stealth capabilities make not only detecting but analyzing the malware difficult.

<span class="mw-page-title-main">Maksim Yakubets</span> Ukrainian national and a computer expert (born 1987)

Maksim Viktorovich Yakubets is a Russian computer expert and alleged computer hacker. He is alleged to have been a member of the Evil Corp, Jabber Zeus Crew, as well as the alleged leader of the Bugat malware conspiracy. Russian media openly describe Yakubets as a "hacker who stole $100 million", friend of Dmitry Peskov and discussed his lavish lifestyle, including luxury wedding with a daughter of FSB officer Eduard Bendersky and Lamborghini with "ВОР" registration plate. Yakubets impunity in Russia is perceived as clue of his close ties with FSB, but also criticized by domestic information security experts such as Ilya Sachkov.

References

  1. 1 2 "Evolution of the GOLD EVERGREEN Threat Group". Secureworks . May 17, 2017. Archived from the original on January 27, 2023. Retrieved May 5, 2023.
  2. Stahie, Silviu (November 18, 2022). "Alleged JabberZeus Crime Gang Leader Arrested in Switzerland". Bitdefender Blog. Archived from the original on May 5, 2023. Retrieved May 5, 2023.
  3. Danchev, Dancho (June 2, 2021). "Profiling the "Jabber ZeuS" Rogue Botnet Enterprise – An Analysis". WhoisXML API. Archived from the original on December 5, 2022. Retrieved May 5, 2023.
  4. Bederna, Zsolt; Szádeczky, Tamás (2021). "Effects of botnets – a human-organisational approach". Security and Defence Quarterly. 35 (3): 35. doi: 10.35467/sdq/138588 .
  5. Sandee 2015, p. 6.
  6. Sandee 2015, p. 4.
  7. 1 2 3 4 5 6 Graff, Garrett M. (March 21, 2017). "Inside the Hunt for Russia's Most Notorious Hacker". WIRED . Archived from the original on April 23, 2023. Retrieved May 7, 2023.
  8. Peterson, Sandee & Werner 2015, 7:42–7:47.
  9. "EVGENIY MIKHAILOVICH BOGACHEV". FBI.gov . Federal Bureau of Investigation. May 27, 2014. Archived from the original on April 23, 2023. Retrieved May 5, 2023.
  10. 1 2 3 4 5 Krebs, Brian (February 25, 2015). "FBI: $3M Bounty for ZeuS Trojan Author". Krebs on Security. Archived from the original on April 7, 2023. Retrieved May 5, 2023.
  11. 1 2 3 4 5 6 "Nine Charged in Conspiracy to Steal Millions of Dollars Using "Zeus" Malware". Justice.gov . Department of Justice. October 6, 2011. Archived from the original on April 22, 2023. Retrieved May 7, 2023.
  12. 1 2 3 4 5 6 7 8 O'Neill, Patrick Howell (July 8, 2021). "Inside the FBI, Russia, and Ukraine's failed cybercrime investigation". MIT Technology Review . Archived from the original on April 27, 2023. Retrieved May 7, 2023.
  13. 1 2 "Ringleaders of £3m online 'Trojan' bank scam jailed". BBC . November 1, 2011. Archived from the original on July 11, 2021. Retrieved May 7, 2023.
  14. Dunn, John E. (October 6, 2011). "Zeus Trojan Gang Member Gets Jail for Huge UK Fraud". CSO Online. Archived from the original on May 7, 2023. Retrieved May 7, 2023.
  15. 1 2 3 4 5 Krebs, Brian (November 15, 2022). "Top Zeus Botnet Suspect "Tank" Arrested in Geneva". Krebs on Security. Archived from the original on April 10, 2023. Retrieved May 7, 2023.
  16. "MAKSIM VIKTOROVICH YAKUBETS". FBI.gov . Federal Bureau of Investigation. April 29, 2019. Archived from the original on March 17, 2023. Retrieved May 5, 2023.
  17. 1 2 3 Krebs, Brian (December 16, 2019). "Inside 'Evil Corp,' a $100M Cybercrime Menace". Krebs on Security. Archived from the original on March 23, 2023. Retrieved May 6, 2023.
  18. D. Neb 2019, p. 3.
  19. US v. Penchukov et al. (indictment), 4:11CR 3074 , pp. 1–15( D. Neb. August 22, 2012).
  20. Peterson, Sandee & Werner 2015, 2:45–2:53.
  21. 1 2 Krebs, Brian (October 2, 2010). "Ukraine Detains 5 Individuals Tied to $70 Million in U.S. eBanking Heists". Krebs on Security. Archived from the original on March 6, 2023. Retrieved May 7, 2023.
  22. Peterson, Sandee & Werner 2015, 6:09–7:47.
  23. 1 2 Gruber et al. 2022, p. 9.
  24. Al-Bataineh, Areej; White, Gregory (2012). "Analysis and detection of malicious data exfiltration in web traffic". 2012 7th International Conference on Malicious and Unwanted Software. International Conference on Malicious and Unwanted Software. Fajardo, Puerto Rico: IEEE. p. 27. doi:10.1109/MALWARE.2012.6461004.
  25. Peterson, Sandee & Werner 2015, 6:09-7:47.
  26. Peterson, Sandee & Werner 2015, 7:47–8:13.
  27. Sandee 2015, p. 4-5.
  28. Sandee 2015, p. 21-22.
  29. Peterson, Sandee & Werner 2015, 8:19–8:33.
  30. Krebs, Brian (July 2, 2009). "PC Invader Costs Ky. County $415,000". Washington Post . Archived from the original on September 18, 2020. Retrieved May 7, 2023.
  31. Frieden, Terry (October 1, 2010). "FBI announces arrests in $70 million cyber-theft". CNN . Archived from the original on November 3, 2022. Retrieved May 7, 2023.
  32. Krebs, Brian (October 4, 2011). "ZeuS Trojan Gang Faces Justice". Archived from the original on February 7, 2023. Retrieved May 7, 2023.
  33. Stahl, Lesley (April 21, 2019). "The growing partnership between Russia's government and cybercriminals". CBS . Archived from the original on January 18, 2023. Retrieved May 7, 2023.
  34. Peterson, Sandee & Werner 2015, 41:06–41:31.
  35. D. Neb 2019, p. 26-30.
  36. Gruber et al. 2022, p. 9-10.
  37. Lyngaas, Sean (November 16, 2022). "Swiss arrest alleged Ukrainian cybercriminal hunted by the FBI for a decade". CNN . Archived from the original on May 6, 2023. Retrieved May 6, 2023.
  38. Krebs, Brian (May 4, 2023). "$10M Is Yours If You Can Get This Guy to Leave Russia". Krebs on Security. Archived from the original on May 6, 2023. Retrieved May 7, 2023.

General sources