September 7, 2015

Authorities in Europe have arrested alleged key players behind the development and deployment of sophisticated banking malware, including Citadel and Dridex. The arrests involved a Russian national and a Moldovan man, both of whom were traveling or residing outside of their native countries and are now facing extradition to the United States.

cuffedLast week, a 30-year-old from Moldova who was wanted by U.S. authorities was arrested in Paphos — a coastal vacation spot in Cyprus where the accused was reportedly staying with his wife. A story in the Cyprus Mail has few other details about the arrest, other than to say authorities believe the man was responsible for more than $3.5 million in bank fraud using a PC.

Sources close to the investigation say the man is a key figure in an organized crime gang responsible for developing and using a powerful banking Trojan known as “Dridex” (a.k.a. Cridex, Bugat). The Dridex gang is thought to have spun off from the “Business Club,” an Eastern European organized cybercrime gang accused of stealing more than $100 million from banks and businesses worldwide.

In June 2014, the U.S. Justice Department joined multiple international law enforcement agencies and security firms in taking down the Business Club’s key asset: The Gameover ZeuS botnet, an ultra-sophisticated, global crime machine that infected upwards of a half-million PCs and was used in countless cyberheists. Dridex would first emerge in July 2014, a month after the Gameover Zeus botnet was dismantled.

Separately, the press in Norway writes about a 27-year-old Russian man identified only as “Mark” who was reportedly arrested in the Norwegian town of Fredrikstad at the request of the FBI. The story notes that American authorities believe Mark is the software developer behind Citadel, a malware-as-a-service product that played a key role in countless cyberheists against American and European small businesses.

For example, Citadel was thought to have been the very same malware used to steal usernames and passwords from a Pennsylvania heating and air conditioning vendor; those same stolen credentials were reportedly leveraged in the breach that resulted in the theft of nearly 40 million credit cards from Target Corp. in November and December of 2013.

The Norwegian newspaper VG writes that Mark has been held under house arrest for the past 11 months, while the FBI tries to work out his extradition to the United States. His detention is being fought by Russia, which is naturally opposed to the treatment he may receive in the United States and says the evidence against Mark is scant.

According to VG, the U.S. Justice Department believes Mark is none other than “Aquabox,” the nickname chosen by the proprietor of the Citadel malware, which was created based off of the source code for the ZeuS Trojan malware. Citadel was sold and marketed as a service that let buyers and users interact with the developer and one another, to solicit feedback on how to fix bugs in the malware program, and to request new features in the malware going forward.

For a full translation of the original Citadel sales pitch as penned by Aquabox in 2011, see this link (PDF). For a full translated version of the VG story on Mark, see this PDF (thanks to KrebsOnSecurity reader Jeevan Sivagnanasuntharam for helping with the translation). VG notes that Mark continues to maintain his innocence. [Side note: The Citadel malware has for years had in its code a dig directed at the author of this blog: Included in the guts of the Trojan is the text string, “Coded by BRIAN KREBS for personal use only. I love my job & wife.” Needless to say, the second part of that statement is true, but Citadel was not coded by this Brian Krebs.]

A text string inside of the Citadel trojan. Source: AhnLab

A text string inside of the Citadel trojan. Source: AhnLab

Ars Technica carries an interesting piece about Deniss Calovskis, a Latvian man who was arrested in February and extradited to the United States for his role in creating the Gozi virus, another powerful malware family that has been used in countless cyberheists. The 30-year-old Calovskis long maintained his innocence, but ultimately acknowledged his role in a guilty plea entered in a federal court in Manhattan last week.

In August 2013, Calovskis denied being associated with Gozi, and told Latvian a television news station that he was “like a hostage in this situation. I don’t know about the Gozi virus. I haven’t helped any schemers to get money and I haven’t received any,” he told reporters. According to Reuters, Calovskis changed his tune last week.

“I knew what I was doing was against the law,” he reportedly told the court.

Finally, Finnish authorities are holding a Russian man named Maxim Senakh who is accused of committing malware crimes in the United States. Russian news agency RT says the Russian Foreign Ministry has denounced Senakh’s detention as an “illegal practice” and a “witchhunt.” He was reportedly detained on Aug. 8, 2015.

The various media stories in the European press about Senakh’s arrest say he is wanted for cyber crimes allegedly committed against a victim in Minnesota, but beyond that there are few details about the reason behind his arrest. U.S. authorities are currently seeking his extradition to the United States.


31 thoughts on “Arrests Tied to Citadel, Dridex Malware

  1. JimV

    More of these botware miscreants need to “bite the dust”, legally-speaking….

  2. ralph seifer

    “a victim in Minnesota” is probably a small outfit known as Target, whose corporate HQ is Minneapolis.

    1. BrianKrebs Post author

      Yes, this is an obvious conclusion, but not one that is supported by anything other speculation at this point, which is why I didn’t mention it in that paragraph.

        1. Enthusiast

          Its captured in Ralph Seifer’s comment, thought sarcastically (“small outfit”), but I think the reference is pointing to Target, the large retailer.

  3. Supla

    Now Feds arresting cyber crooks? Where they get information about them ? Seems to be that now they get the kingpins ! But where is the stolen money ? Are they getting the money also ? I’m right if I assuming the money is in Ukraine and Russia ? And other question is who told to criminal organisations to start doing frauds ??? How they know fraud ? Where the knowledge come from ? And other question if they steal money from your bank account then the bank refund you but where the bank getting money ?? All that thing don’t make sense for me couse all that make me raise alot questions ? Why this why is like that ? Why this and why that ? It’s just very strange story and I don’t get it there is so many questions but nobody don’t have logical answers

    1. Ash

      Criminals look for ways to make money based on a few factors; effort, risk, reward. Cyber crime is unique in that the risk and reward and based soley on the effort put in. The more effort you put in, the greater the reward, and lesser the risk. This is attractive to a criminal, and just as the move from robbing banks turned to dealing drugs, and drugs to people smuggling and the sex industry, more and more criminals have moved into cyber crime.
      The internet is full of websites offering basic information on cyber crime, finding a geek desperate for cash and willing to help, isn’t that hard. You then have willingness to commit a crime, along with know how to commit a cyber crime. Before long a bedroom job has become a much larger setup, the know how has increased, the money is rolling in and greed takes over. That’s when the big scams start to occur, the boat is pushed way out to sea and boom, you have yourself a worldwide botnet for sale and a bitcoin account worth millions.
      The cash doesn’t need to be physical, the bitcoins are traded down, or laundered out through exchanges into other forms of online accounts, think poker sites for example, and then withdrawn by middlemen, and distributed up and down the chain.
      Greed eventually takes over, and someone fucks up. Police don’t break cyber crime, cyber criminals make a mistake, that’s when someone gets caught.

  4. Mike

    There is and always has been “bad guys”. There is and always has been victims of the bad guys. Make your arrests and and pat yourselves on the back for a job well done.

    Untill we meet again next week at the same bat-time on this same bat-channel…..

    The difference is that there is such a scary-huge portion of the population that is so out-of-touch with the reality of this entire thing, that everyone is left scratching their heads over the “why” or “how” of it. No one wants to deal with it. Everyone wants someone else to fix it. So it gets ignored. As it continues to get ignored, the bad guys are allowed more and more access.

    It is beyond me how such large percentages of the human population is so willing to just let themselves by manipulated and used like this.

    Home users make the transition from desktops with local harddrives to tablets and smart phones with cloud based storage. Isn’t it interesting that at the same time, the problems dramatically increase in size and scope as everything moves from home users to businesses? This all takes place right in front of us and no one even notices. Yet we are told to update our personal systems and apply the latest patches in order to stay safe. LOOK at where the problem is.

    We all want to be upset with Target but they were just simply running that same screwed up browser tool bar that was so popular so many years ago at home. The things that NO ONE should have EVER been running.

    1. sleepy

      @ Mike
      It seems as though you have put a lot of thought into the things you wrote about but without specific details, I can only guess at what problems and solutions you are referring to. Will you please be more specific?

      “The difference is that there is such a scary-huge portion of the population that is so out-of-touch with the reality of this entire thing, that everyone is left scratching their heads over the “why” or “how” of it. No one wants to deal with it. Everyone wants someone else to fix it. So it gets ignored. As it continues to get ignored, the bad guys are allowed more and more access.”
      What is “this entire thing”? What is “it”?

      “The bad guys are allowed more and more access” to what?

      “It is beyond me how such large percentages of the human population is so willing to just let themselves by manipulated and used like this.”
      What are you referring to?

      “Home users make the transition from desktops with local harddrives to tablets and smart phones with cloud based storage. Isn’t it interesting that at the same time, the problems dramatically increase in size and scope as everything moves from home users to businesses? This all takes place right in front of us and no one even notices.”
      What is taking place right in front of us? Are you referring to attacks on cloud-based storage?

      “Yet we are told to update our personal systems and apply the latest patches in order to stay safe. LOOK at where the problem is.”
      Look where?

      “We all want to be upset with Target but they were just simply running that same screwed up browser tool bar that was so popular so many years ago at home. The things that NO ONE should have EVER been running.”
      Are you saying the Target breach was caused by a browser toolbar?

      Thanks

      1. Mike

        “Are you saying the Target breach was caused by a browser toolbar?”

        Have you ever herd of the word “metaphor”? This is kinda what I’m taking about.

        Sorry, when I say….
        “The things that NO ONE should have EVER been running.”

        There are way too many things to list to be more specific. A large portion of which is often considered to be perfectly normal just simply because ‘everyone does it’.

        There is alot of thought put into this…and alot of years. There are things that need to change in the way people do things. Until that happens, all this bad stuff is only going to be fluff on the surface for people to talk about. I give specifics all the time on this site but as I said….”No one wants to deal with it. Everyone wants someone else to fix it. So it gets ignored.” Surely you don’t really think that these arrests are going to mean the end of all malware, botnets, viri, hacks, trojans, breaches, DDOS attacks, and website takedowns? Citadel wouldn’t even be a problem if people were more concerned about security than about being able to access Facebook, Twitter, and porn.

        1. sleepy

          “Surely you don’t really think that these arrests are going to mean the end of all malware, botnets, viri, hacks, trojans, breaches, DDOS attacks, and website takedowns?”
          Of course not. Where did I say that?

          It seems as though you assumed I was attacking you. I wasn’t. When I read your original post I felt like I was probably in agreement with you but it was impossible to tell because you kept referring to things like “it” and “this”. I truly wanted to know exactly what problems you were talking about, and what your ideas are for solving those unspecified problems which you referred to. The only specific thing you mentioned was Target and a browser toolbar (which you explained was not actually intended to be specific). Ha ha, you got me with that metaphor! Nice one!

          Is your main concern the fact that most people, corporations, and the government put such a tiny amount of effort into securing their computers, phones, and tablets? If so, then we are in agreement. Do you have any ideas for solving this problem?

          1. Mike

            Email is looked at as such an absolutely must-have kinda thing. It is the primary means of communication even when on the internal company network. This might make some sense when out of the office but NOT when on the home or company network. Email is NOT private or secure. It has always been one of the biggest infection vectors. There have been all kinds of software created that will allow for internal network communications without ever connecting to the internet at all. Use one of them.

            Use of any and all social media should not only be filtered out but not even allow on the company network (unless that is your job). I’m not talking about signing a paper saying “I will not…” I’m talking about the network being setup to never allow a connection (page cannot be displayed). No monitoring software that slows down the company computer….just filtered out at the main router level. When your job requires you to use five or six websites that are all on the intranet, there is no reason at all for you to have any internet communications at all. In these cases, even OS updates and patches are of little use (if any). Filter out all access to all things other than what you need to do your job.

            Home computers…..NO toolbars, NO Flash, NO Java, NO ActiveX, stay away from IE, DON’T open email from anywhere your not expecting it, etc. etc. etc.

            Get rid of your router and replace it with a server (pfsense would be a good OS for it). Get rid of WiFi where ever possible. Wired is the only way to go. Stop being so dependent on tablets and smart phones, they are NOT secure. Play your games if you must. But, I would suggest that you grow up and actually start learning something about these machines and the tremendous power within them.

            ———————————————

            I could write a book detailing and chronicling all this stuff. Many people have done just that. There is too much for one post. No attack intended and I am sorry for making you think I took it that way.

            If you want answers, there are answers. You might not like the answers but they are there.

            1. Sarah

              And this seems to address the superficial obvious with the common masses of people. The corporations, the government entities, the businesses, the financial sector, these are the ones that pose the higher risk, criminal profitability and damage potential that we are all experiencing, either personally from a breech such as Anthem/Target/OPM, or even unknown ramifications. AND our data, our info, the access, is not going to stop by me or my neighbors, or our communities, dumping email and wifi, or our smart devices. Our government now has our personal information mandated to be accessible via any number of departments, over any number of protocols and connections, and we have little say as to its use or security. Hell, my home electrical power is monitored remotely by a smart meter, via the web, and it is not using my home network. I have no say, and no control, over that.

              1. Mike

                I would never suggest that dumping WiFi is the one thing to do to fix all this. It isn’t. I certainly understand what your saying about smart meters. I agree, no say of it. I’m not happy about that either. You shouldn’t dump WiFi on this basis. No one should. I’m saying that WiFi is a lesser technology that is not as secure, as fast, or as stable.

                There are going to be MANY things that need to be done. If your going to refuse to give up your WiFi or smart phone then you will ALWAYS be vulnerable. There are other things though. Taking the initiative and going to the internet for an online survey (like survey monkey) on a websites that isn’t even a site owned by the company you did business with is part of the problem. Agreeing to eat at restaurants where every table has a tablet with a microphone and camera is a problem. Facebook, Twitter, xbox, playstation, playstation network, are all problems. so is Apple and Microsoft. Online advertising is a very big part of the problem.

                There is so much of it that it all gets overwhelming. Why not take a step back and set it all down for a few minutes and take a breathe?

                Much of it you can’t stop, control, or even switch off. I know. Try not to worry so much about any of that. Focus on what you can control. There is no requirement in life that says you MUST connect to just any ole WiFi (like Starbucks or Micky D’s). There is no requirement that says you must take that email seriously that says something bad will happen if you don’t forward it. There is no requirement that says you MUST use a router from your ISP. There is no requirement that says you MUST divulge your entire life on Facebook or allow Microsoft live video access into your child’s bedroom with a Kinect. No one is required to sign up with Ashley Madison either. My point is that you DO have some degree of control over what happens and what doesn’t.

                1. Nobody_Holme

                  Actually, it’s in one of my ISP’s terms of service that I DO have to use their router, and trying to replace it with something else (not actually hard to do undetected if you have knowhow, although most dont) is grounds for contract termination with all outstanding fees payable in full on the spot (or 6 months’, if you’re beyond the minimum contract period).

                  It’s rather pleasant of them, no?

                  1. peter

                    You might have to use their router (I’m in a similar situation) but that doe NOT mean that you have to use their WiFi. I disables WiFi on their router and use my own access point behind it (in bridge mode). Better performance, better security.

            2. piers7

              Mate the answer to the problem *cannot* be for everyone to build their own home firewall. I agree that that would be a legitimate reaction to much of the current market, but it’s clearly not an approach that scales.

              Users can legitimately expect products in the marketplace to do their job, and when they don’t (& publicly) the market eventually moves on.

              People didn’t care much for seatbelts to start with, now crash safety ratings can make or break sales for a model. It will get better… slowly.

          2. Mike

            In regards to Citadel:
            This can be handled with proper email handling and filtering out a list of websites and IP addresses.

            Sorry I didn’t include that in my previous post. But it really all comes down to doing the same stuff and NOT doing certain other stuff. I guess I should add that a large portion of this should be handled by the IT dept. But then for so many companies…..What IT dept.?

            This discussion should be had within the knowledge that most companies/CEO’s see the IT dept. as something they can do without, something they can outsource, or something they can give to a lesser skilled individual.

    2. Another Mike

      Ughhh… Aside from dealing in the superficially obvious regarding the topic of cybercrime, let’s deal with the superficially obvious in Mike’s message.

      Because “there” is an adverb and not a singular noun, I think he was trying to say to following. Note the period inside the quotes and that “guys” and “victims” are the subjects, respectively:


      There [are] and always [have] been “bad guys.” There [are] and always [have] been victims of the bad guys.

      Better writing in business will command more respect.

  5. sichER

    “According to Reuters, Calovskis changed his tune last week.”

    His Lawyer already said July 2013 in an interview that he didn’t create the malware but only improved it (Speaking about the WebInject implementation).

    http://www.diena.lv/latvija/zinas/advokats-calovskis-virusu-nav-izstradajis-bet-tikai-uzlabojis-14015815

    Denying everything is always a smart move but doesn’t work after a specific point.

    Thank you for your other resources on Gozi / Neverquest / Vawtrak.

  6. Faro

    This mal ware stuff has many names and players. Guess the more you know the less you know. Checked out many of the links in this article. The first link “story in the Cyprus Mail” appears to be an old article. The site asks to accept cookies to view the site and improve user experience. Not sure I want a Cyprus news paper following me around if that is who it is.

  7. jon

    couldn’t find a technical contact on this site. rss appears to be broken, at least on firefox 40.0.3.

  8. Fluff bomb

    Just to be paranoid, isn’t some spurious claim of cyber crimes a good way to gather a nations spies from other countries?
    Other than drama why would Russia complain so much?

  9. Kyle

    So Aquacrap finally got arrested, huh?

    He had left the field, at least superficially, when his source code was put out there. Reveton was its cousin.

    I’m dying to know the guy’s real name, his pictures, and how they’ve caught him. I guess they’re gonna now primarily focus on Zbot’s author now!

    Of course RT is going to say that, they’re like Pravda, Russotomaton!

    1. Kyle

      I should note they’ve replied the same manner, regarding good ol’ Gribo…

  10. NotMe

    So we can arrest the criminals that create malware and use it to steal millions, but we will look the other way when our guys create REGIN and use it to “gather” information about anyone.

    We only seem to get upset when we find out the good guys can see our private pictures or read our private chat, or look at our private adultery website memberships.

    I’m happy to see criminals captured and brought to court, but I just can’t get past the obvious duplicity.

  11. Marty

    Brian, Did you eliminate your RSS feed? I had a link on my My Yahoo page that showed your latest postings. It hasn’t’ been working for a week or so.

    This is what it looks like

    http://www.krebsonsecurity.com/feed/

    Hope you can fix or reactivate it.
    Thanks.

  12. DES

    Do none of you actually care that the FBI was caught lying about getting a confession? Which BTW would not have happened in the US, because standard procedure is now to *not* record interrogations, precisely to avoid getting caught lying about them.

    BTW, the translation is pretty bad—barely a step above Google Translate— but it clearly (and correctly) states that “Mark” is in jail, not house arrest.

Comments are closed.